In our first post on the seven steps to building a GRC-based risk management framework for information, we talked about step 1: identifying information that is important enough to warrant protection. Once you've identified information important enough to be protected, within its business context, you can move on to determining whether you actually have any of the information, where it lives in your organization and among your third parties, and just how much of it there is in each place it resides.
You may wonder what exactly the difference is between identifying information to be protected and identifying whether you have it, where and in what amounts. Wouldn't it be more efficient to just do all of that at once? Actually, the effort it takes is necessary to reaching the overriding goal of protecting important information, because before you can identify the information you need to protect in your organization, you have to know what you're looking for. Only after you've defined what you're looking for, in the first step, can you establish whether your organization has any of that information, where it's processed and stored, and how much there is-so you can appropriately direct your efforts at protecting the information to manage risk.
Another reason you need to methodically identify the type of information and then its location and amount is that it's entirely possible that establishing the precise location of the information will be the only way to ensure you've identified all of it. You also need to consider that at a later point in the methodology you're going to be assessing and evaluating the risk associated with this information, as well as the treatments that can be applied to help manage the risk. You can't do any of that effectively unless you have a clear understanding of how the information is currently being handled.
RSA has published an in-depth paper on the methodology for building a GRC-based risk management framework for information; in it, we provide detailed practical guidance for identifying, locating and quantifying the information you need to protect. After all, it's one thing to tell you that you have to find the information; it's another to show you how to do that-and that's what the paper does at length. It describes:
- Identifying and documenting the business processes that involve handling important information
- Documenting how IT supports those business processes
- Documenting the third party relationships that support the processes
Understanding the business processes surrounding the use of information, including the relationships that develop around those processes, is essential to understanding business context, which-as we touched on in the first post in this series-is what tells us which information is most important to the organization and therefore most in need of protection. Download the paper to learn more about this important step in creating a GRC-based framework for managing information-related risk in your organization.