Securing the Digital World

7 Steps to a GRC Risk Management Framework-1: Identify Information

Jul 31, 2017 | by Marshall Toburen |

Managing information risk can be a paralyzing challenge, given the amount of data and information that comes pouring in daily. It's hard to know what information needs to be protected, let alone the most effective way to do it. RSA has developed a practical seven-step methodology for building a risk management framework for information. Derived from RSA's Business-Driven Security approach, the methodology enables you to uncover the business context for information risk and to apply proven GRC principles for evaluating and controlling risk. We're confident you'll find this framework will prove invaluable in helping master what can otherwise seem an overwhelming task. In this post, we'll talk about step one: identifying information that needs to be protected.

But wait-shouldn't all information be protected? Actually, there's so much information coming into organizations today, protecting all of it isn't really possible, given limited human and capital resources. Moreover, not all of the information that does need protection should be protected to the same degree; in fact, in some cases, it's possible to overprotect information to the point it costs more to protect than it's worth. Your first challenge is to determine what information is important enough to protect, i.e., what information could pose a risk to the organization if it was lost or stolen, became unavailable, or was otherwise compromised.

So how do you know what to focus on as you try to identify information that's important enough to protect? That's where the concept of business context enters the equation. If you evaluate information to be protected in the context of what's critical to the business, you can use that business context as a means of identifying potentially important information you'll want to protect. Generally speaking, you want to make decisions about protecting information based on:

  • Business strategies and objectives
  • Products and services being delivered
  • Policies and procedures
  • Legal and regulatory obligations

For example, is the information something a competitor could use to gain an advantage in the marketplace-such as strategic planning information, source code or product designs? Is it information that's related to areas that fall under laws or regulations governing how information is to be handled-like HIPAA, GLBA or GDPR, which specifically mandate what types of information have to be protected? Is it information that you must protect as a result of contractual commitments you have made with customers and third parties?

Evaluating whether information needs to be protected also involves considering policies and procedures already in place that relate to how the organization handles information. Looking at where those policies and procedures intersect with the organization's strategies, objectives, products and services will help you determine what information is important to protect.

RSA has published an in-depth paper on the methodology for building a GRC-based risk management framework for information, and it explains in detail what you need to consider and do in order to define what information is important and needs protection. The paper describes the process of analyzing business context based on how information relates to strategies and objectives, how it's affected by policies and regulatory obligations, and how it fits into the overall organizational structure. It also delves into specific relevant questions to consider during this critical first step of identifying important information. Download the paper to learn more about this and the other steps in creating such a framework in your organization.