The seven laws of information risk management

A checklist to help organisations mitigate the risks associated with security breaches.

IPLocks has published what it is terming the ‘seven laws of information risk management’. These provide a common sense checklist to help organisations achieve compliance and mitigate risks, while better connecting people, processes and technology.

The seven laws can be summed up as:

1. Your partners and employees will steal from you

As globalization and interconnectedness increases without proper vetting and security, employees, customers and trading partners can accidentally corrupt your data or cause regulatory compliance issues through misuse of the data. In the worst-case scenario, they can steal confidential data and sell it.

2. Bust up policy barriers

Security, auditing, regulatory affairs and privacy impact the entire organisation and should not be kept in departmental silos. People, process and technology must be integrated.

3. It's all about privacy

Security is a building block for privacy, which is a major component of regulatory initiatives. For example, CA1386, HIPAA and GLBA in the United States and the Japan Information Privacy Law are primarily about privacy. The fundamental weakness to such laws is they cannot protect your brand, sensitive data, business continuity or financial position against a breach.

4. Don't stop working

Effective information risk management should not radically alter work or its flow. Examples are rife of organisations implementing draconian policies that substantially reduce productivity and impair customer service, while providing questionable security benefits.

5. Don't spend foolishly

You must match the level of information risk management investment directly to the level of risk. For each dollar invested, ascertain the quantitative and qualitative risk mitigated by the technology.

6. Be afraid - it will happen to you

Expect the unexpected by assigning responsibilities before a privacy breach occurs. Information theft only happening to the "other guy" is just a myth and the chance is greater than 50 percent that it has already happened at your organisation. Ernst & Young recently reported that 70 percent of all security breaches that involve losses of more that $100,000 are perpetrated internally.

7. No silver bullet

There is no single technology that will solve security problems or provide regulatory compliance. Information risk management is a process that requires continuous monitoring, auditing and adjustment of how sensitive information is used - not just an initial risk assessment.

•Date: 26th May 2005 • Region: World • Type: Article •Topic: ISM
Rate this article or make a comment - click here