With this post, we take the last step on the journey to a GRC framework for information risk management. To date, we've gone through the first six steps of RSA's seven-step methodology for creating the framework:
- Identify Information
- Locate Data
- Assess Risk
- Evaluate Risk Treatments
- Residual Risk
- Enterprise Risks & Controls
The framework represents a practical approach based on GRC principles, and you'll find the complete details in a comprehensive white paper on the subject. Our purpose has been to introduce you to some of the thinking and concepts behind the methodology.
This last step in the process involves providing visibility into and reporting on risk. Remember, in creating the framework, you're examining business processes and outcomes that can introduce risk to the organization. For business leaders to make informed decisions to manage that risk, they need easily visualized, timely information about it.
As you think about providing visibility into risk as part of creating the framework it helps to remember that effective risk management is not a "one and done" activity. Once the framework is complete, visibility means monitoring your risk profile on an ongoing basis to determine whether risk is increasing relative to your organization's risk appetite and tolerance—and, if it is, to look at what steps you need to take to keep it to acceptable levels.
There are many different factors that can come into play that could increase risk. Most commonly, the volume or criticality of important information increases, or risk treatments become ineffective. But risk also often grows because of changes in technology or business processes, the introduction of new products and services, and the expansion of your ecosystem through third-party relationships.
To effectively manage your changing risk profile, you must have visibility across your information security program, so that you know as early as possible that things are changing. In the case of new and changing processes, products and services, you need to be able to evaluate the information risk associated with changes before those changes go live. Achieving this requires visibility that will enable you to answer these questions:
- Is the organization's inherent risk, overall and by IT asset, changing?
- Are all technical and organizational controls operating as designed?
- Are new or changing third-party relationships being negotiated that involve the handling of important information?
- Are new or changing businesses processes being proposed that involve the handling of important information (or that may affect the existing handling and control of important information)?
- Is technology changing such that it requires different risk treatments?
- Are the risk treatments in place today consistent with the changing threat-sources to information security, or do they need to be upgraded to align with best practices?
For information risk management professionals, visibility means you have to be plugged into this information on an ongoing basis. Yes, that creates another demand on your limited resources. But it moves your organization from reactive information-security management to proactive, business-driven security management. That puts you in a much better position to articulate information risk in business terms and address changes before they harm your organization.
Lastly, while visibility and monitoring comprise the final step in the seven steps to applying GRC to information risk management, it's not the end. Risk management programs are iterative; when you get to the monitoring phase, it's generally time to start all over again. Many of you work for organizations with heightened regulatory obligations around information security. It is a best practice, and often a regulatory obligation, to periodically reassess your organization's information security risk. The good news is that once you have gone through these seven steps, your organization should be able to refresh their assessment more quickly and efficiently.
If you haven't done so already, I hope you'll download our white paper on creating a GRC-based framework for managing information risk. RSA also offers a summary version for a quick look at the process, as well as an eBook that takes you through the steps. Finally, you can learn more about how a GRC framework for managing information risk can help you align security and business priorities in an exclusive RSA webinar.