Estimated Reading Time: 6 Minutes
This is the third part of our content series to assist Financial Services and companies regulated by the Central Bank in Managing Technology Risk and Governance.
In our previous parts of this series we covered:
Subscribe to this series to receive this content on your inbox.
It should all get somewhat more manageable now. Better still, you can start to leverage that hard work into a solid action plan.
We have to ask you now to restrain yourself from jumping in to solve problems before you have the complete picture. One word of advice – stop fixing things before you have the whole picture as defined by your risk register. If you are under board or time pressure to get results or see action, hold firm, or feel free to contact us to see if we can assist.
The key result from establishing a full Risk Register is that your core and most critical risks rise to the top for all to see. Your plan is now to define how to handle these risks.
Firstly you need to understand your inherent risk and to assess the consequences and likelihood of failure. If the inherent risk is high, with damaging effects, you need to treat that risk by applying a control and reducing it to a tolerable level. However, that is not your only option.
Let’s take a look at all the options open to you as the Risk manager with some examples that will hopefully allow you to understand how to manage your risks.
A control gives you the ability to change the inherent risk outcome. For example, you may decide that you cannot afford to lose any more than 1 hour of data from your core business system (ERP) as recovering that would be an operational nightmare.
You can apply a control such as a more frequent backup of the system – say to 15 minute windows. In this case, the control already existed and just needed to be altered to address the risk of data loss.
For the sake of comprehensiveness, three types of security controls will assist in mitigating risk:
It is the combination of all three types of controls that provide robust security. In our example above we have a Disaster Recovery Plan (management control), that is managed by your internal or external IT resource (operational control), and backup and recovery software/ hardware systems deliver the ability to recover (technical controls).
A common problem with control adoption is that they often make systems less simple to use. When usability is an issue, many users will attempt to circumvent security controls; for example, if passwords must be long and complex, users may scribble them down.
Balancing security, functionality, and usability is often a challenge. The goal should be to strike a proper balance: provide a reasonably secure solution while offering the functionality and usability that users require.
Risk transfer is a risk management strategy that involves the shifting of an identified risk from one party to another. The simplest example, of course, is the purchase of an insurance policy, by which a specified risk of loss is passed from the policyholder to the insurer.
In terms of IT Risk, there are new Cyber liability policies that provide first party cover as well as a host of additional benefits (legal, HR, PR advice) that allow an organisation to offset operational and reputational risks.
There is always the option to cease a risky activity altogether. It is not uncommon to accept the status quo of how things have always been done even when those activities expose you to risk.
With the arrival of GDPR, we have advised many clients on how they share information both within and outside of their organisations. It has meant that they now have entirely ceased the sending of personal data through unsecured means. They have sought different ways of moving that data or changed processes to suit the security requirement.
Risk acceptance means accepting the identified risk and not taking any other action to reduce it because you can admit the potential consequences. For example, you may decide to accept a risk because the cost of eliminating it ultimately is too high. If you choose to take a risk it is a good policy to qualify and support that opinion.
An Auditor may not see this the same way that you do so it is essential to be able to stand over your reasoning.
Although Risk Registers are unwieldy, they do provide the beginnings of a system and discipline around the assessment and ownership of your IT risks. This allows you to calendarize and set an agenda for review in place. Auditors are invested in seeking out evidence that you are doing the right thing.
They want the evidence from logs and activities, from how you manage your approach to IT Risk. Moreover, they are looking for accountability – someone has to own the risks.
Every company can adopt different ways of addressing IT Risk. For example, some qualitative and others quantitative. In our practice, we use an ISO 27001 approach, and there are several sites where you can download an Excel formatted risk register. We have discussed this on the previous step of our series, so feel free to visit our article, web class and sample risk register below if you haven’t seen them yet:
A Scorecard is an excellent way of measuring your progress and assessing the main topics that need to be developed in every year or quarter. We have been using scorecards with our customers for many years now, and their indications always bring about much more clarity to reports and the overall action plan.
If you have been following our series since the beginning, you will know how and why we choose to use the NIST Framework and score system. If you are not sure how that works, you can subscribe to our Series to receive the previous content or watch the web class here.
As you address your risks and improve your cyber security maturity levels you will be able to update your scores on your NIST profiles under the 5 key functional areas of Identify, Protect, Detect, Respond and Recover. Make sure to keep this up to date and celebrate your progress.
In the following chart, you can see the starting, current working – i.e. as it is today or at last review – and target Cyber Security profiles, based on the 5 functional areas of the NIST Cyber Security framework. It gives a simple view of how you are progressing your Cyber Security maturity levels.
These tools and knowledge should help you define a clear path to begin addressing your risk. Not only that, but you will be able to prioritise actions and understand where are your business is improving and where it still needs to improve.
The next part of the series that we will discuss is about Evidence Gathering – which means maintaining data that proves you are being compliant and improving your practices. It is a process that will make your lives much more comfortable during an audit.
Subscribe to our series and receive all of the Steps and resources straight to your inbox. They consist of key contents, tools, and how-to guides tailored to support Risk Managers and Financial Services organisations regulated by the Central Bank of Ireland. The full series will address:
As always, talk to us if you need specialised assistance or if you have any queries or feedback about this content series. A reliable IT and Risk Management system will deliver your Action Plan the attention it deserves.