Our Blog

Mobile Devices and Information Security Risk Management

Mobile devices such as smartphones and tablets have found their way into everyday task for professionals. More and more software is available in mobile application form, and organizations are utilizing the convenience offered by having their staff always connected. Though there are many benefits associated with having said connectability, new threats are introduced into the enterprise environment. The following post highlights threats that exist and steps you can take to secure your mobile devices.

The ISO 27001 information security standard recommends the development of a formal policy that introduce appropriate security measure to protect against threats related to mobile devices. The Standard suggests implementing a policy that addresses physical protection, access controls, cryptographic techniques, back-ups, and virus protection.

The Seven Habits of Highly Effective Risk Managers

It is a given that a risk manager must be analytical, precise, cautious and results driven. Risk managers are often seen as the gatekeepers to decisions and often associated with the word "No." We challenge this perception and suggest

Enterprise Risk Management: It is present in your organization, why not formalize it?

Organizations manage risk by nature, whether it is through a formal enterprise risk management (ERM) process or in an informal manner. Every time your organization's board of directors or top management determines a strategy or makes a decision regarding business objectives, it is implementing the principles of ERM. This article examines informal decision making processes and how they naturally follow the principles of ERM. The article suggests that in order to protect stakeholders, formalized ERM process should be put in place.

Black Swans Cost and Prediction

It serves an organization better to focus on the results and consequences of a back swan and develop a business continuity and recovery plan (BCP), as opposed to attempting to predict its occurrence.

ISO 27001 – Information Security Management System

The ISO 27001 standard includes multiple controls and control objectives aimed at ensuring the security of information in regards to the confidentiality, integrity, and availability of data.

Creating Custom Evaluation Templates in RM Studio

One of the value adding features of RM Studio is the ability to create your own custom Evaluation Templates. RM Studio comes equipped with two Evaluation Templates that are developed based on ISO 27001 methodology.

The Evaluation Template is used to qualitatively evaluate threats and assets in RM Studio. The Evaluation Templates within RM Studio can be tailored to each user's unique needs. The default value settings for each factor are: Low (1), Medium (2), High (3), Very High (4), and Immense (5). These factors were developed to comply with the ISO/IEC 27001 standard.

Assessing and Establishing Your Risk Management Policy

Whether you are in the early stages and developing your organization's risk management policy, or you are assessing the performance of your current risk management policy, it is a prudent practice to evaluate the administration of your risk management policy. This article reviews the key success factors to administrating an effective and efficient risk management policy.

Risk Management Takes a Top Down, Bottom Up Approach

Hands down, the most critical aspect of a successful risk management policy is senior management commitment to the program. Just behind this in a close second place, is commitment from the organizations employees. To have a successful risk management policy, a top down, bottom up approach is required.

When this approach is put in place, you will recognize the following characteristics or key success factors within your risk management policy.

Risk Management: Back to the Basics, Part 3

 

Gap Analysis and Risk Treatment

Introduction

Now that you have completed the risk analysis, the next steps are performing a gap analysis and the risk treatment process. This article provides a simplified framework for completing these steps.

Gap Analysis

A gap analysis is the evaluation process of the status of mitigating controls. The purpose of a gap analysis is to gain an understanding of the management system in question in regards to the risk management process. Further, it provides you with an overview of where the management system will be in the future. That is to say, the gap analysis shows you where you are in relationship to where you would like to be. A gap analysis is often used in the audit process, both internally and externally, as the gap analysis provides a bird's eye view of the control implementation and risk management process status.

Risk Management: Back to the Basics, Part 2

Part 2: Risk  Criteria and Risk Assessment

Introduction:

After determining the business entity, identifying assets and threats, the next step in the risk management process is to complete a risk assessment. The following article provides simplified guidelines for the risk assessment process.

Definitions

Risk Criteria: Risk criteria can be defined as the point of reference which the implication of a risk is evaluated.

Risk Assessment: Risk Assessment is the overall process of risk identification, analysis and evaluation.

Risk Criteria

The first step in the risk assessment process is to determine the evaluation criteria for assets and threats. The evaluation criteria can be based on legal and regulatory requirements, the risk management policy set forth by your organization, as well as international standards. Risk criteria should be reviewed continuously to ensure its alignment with the aforementioned factors. As organizational objectives, regulatory requirements, or international standards change, so should risk criteria.

Risk Management: Back to the Basics

Part 1: Why Risk Management and Where to Start

Introduction: Why Risk Management?

Organizations, whether a SME or multi-national corporation face internal and external factors that make reaching their business objectives uncertain at best. This effect of uncertainty on objectives is widely defined as risk. Organizations face risk in all activities and therefore should establish a systematic approach to properly managing risk effectively. Risk management should be approached in a similar manner as any other business process. Your organization has defined it sales process for success, why not define a risk management process with the same goal in mind? Organizations can only succeed and grow through effective and successful risk taking. This article covers the basics of risk management and how to approach the process in a systematic manner.

Risk Management and Social Engineering

As risk manager you have setup a system that protects your data from outside attackers and you have secured your premises with all the latest advancements. However, there is a threat that can break through all the fences, social engineering.

We covered this topic in a previous post regarding physical security. In our example, a gentleman dressed as a technician was able to penetrate a bank and install a device to steal data. How was he able to do this? He utilized social engineering.

Social engineering in the context of security, is “art” of manipulating people into executing actions or disclosing confidential information. Social engineers will use tactics that tap into the human psyche and emotions of the victim. Using tactics as simple as posing as a co-worker who forgot their access badge or sending malicious links via Facebook to gain access to buildings or data.

Risk Management and Human Resources: After Employment

Similar to the “during employment” phase, risk managers should collaborate with the human resource department after an employee is terminated or changes employment. Of the three phases of risk management and human resource collaboration, the after employment phase is the most logical.

It is important that you address the risk associated with terminating an employee. This process can introduce threats to the organization on multiple levels, including information security, physical security, as well as reputation, to name a few. When employees leave your organization, or transfer to a new department, it is important to ensure the exit process is handled in a systematic manner. The human resource department should work with the risk management team to develop processes that ensure the return of all assets and equipment, as well as the removal of access rights.

Reputation Risk Management: An Introduction

An organization’s reputation can be viewed as a driving force for success, a driving force which is complex and difficult to define. Without a positive reputation, potential customers and clients are wary to invest in or do business with a company in which they are uncertain in the quality of products and/or services provided by the company. A reputation for sound business and quality services is a necessity for doing business; it is the key that unlocks the door to opportunities for growth. Without this key, businesses become stagnant and never reach the high performing level. While it may be difficult to state precisely what it is, reputation is recognized as one of the cornerstones of a successful business.

“It takes 20 years to build a reputation and 5 minutes to ruin it. If you think about that you will do things differently.” – Warren Buffett

Risk Management and Reputation

The Bird-Man: What he can teach us about Risk Management and Human Resources

Risk management, as it relates to human resources, can be broken down into three phases: prior to employment, during employment, and after employment. In this article we take a look at the relationship of the human resources department's hiring process and the potential risks involved for risk managers. 

On March 20, 2012 Jarno Smeets, a.k.a. The Bird-Man, posted a video of himself flying with a winged contraption. This accomplishment (soon after Smeets admitted this is a hoax and 'online storytelling' ) in and of itself was an amazing feet and a brilliant piece of cinematography, but we are here to talk about risk management.

The Relationship Between Risk Management and Business Continuity Management

We often see discussions about and hear of clients segregating risk management and business continuity into two separate silos. When we have worked with organizations who have a risk manager (or similar job title) and a business continuity manager, we are surprised how often the two do not work together.·This is usually a good starting point when assisting clients and users of our solutions as a means of simplifying the risk management and business continuity management process.

Nourishing the interconnectedness of the two managers’ roles allows for the development of effective and efficient risk management and business continuity management programs. We see this as a vital relationship as we come from the school of thought that effective business continuity proficiency is found through adequately managing risks. On the flip side of this statement, we feel that risk cannot be effectively managed without a proper business continuity plan and strategy for recovery in place.

How many business continuity and recovery plans should you have?

A vital part of business continuity management is the recovery plan. One question we often get when discussing the development of business continuity and recovery plans, is whether to have multiple plans or to try and produce one plan that caters to all situations. To this question, as with almost all questions regarding risk management, it depends on the organization and the internal risk management culture.

The great minds at the Massachusetts Institute of Technology have developed a single plan. The Business Continuity and Recovery Plan presented by MIT focuses on the recovery in the event of a disaster. The plan covers the details and processes for the path to recovery. In the opinion of the security experts at MIT, this single plan is enough.

How much do you spend on testing vulnerabilities?

Testing vulnerabilities in your ISMS is a vital practice to ensure your system is adequate to protect your information. Every week we hear about security breaches worldwide and the increased exposure of the IT vulnerabilities we all face. We now pose the following questions.

  • How much of your annual security budget is allocated for vulnerability testing?
  • Do you have enough of the budget for properly testing vulnerabilities?

For Google, that amount was $1 million over just a few days in 2012 (for more details on this story click here).

Physical Security and Its Role in Information Security Management Systems

Our team is always on the lookout for new topics and concerns within the realm of information security. One of our team members recently came across an interesting article The Little White Box That Can Hack Your Network on www.wired.com. The article discusses a recent penetration test at multiple branches of a bank using a small computer called a Pwn Plug that simply plugs into a power outlet and the network. Once deployed the Pwn Plug releases its hacking tools. Dressed as a technician, Jayson Street was able to successfully penetrate four banks without a single issue.

This article brings attention to the point of what information security is holistically, and its ever changing nature. To many people, information security brings up images of hackers in a dark room surrounded by monitors and energy drinks, sending spam emails or attempting to hack into government networks. However, information security has a far reaching perimeter in that information security deals with everything from strong passwords, to the physical security of a building.

Information Security and the Gaming Industry

With the recent increase in attacks against game developers, information security is making its way into the headlines more than ever. A quick Google search on the topic brings up a plethora blogs about these incidents. The blogs which caught our attention were those questioning the compliance of the game developers to international standards that specifically protect consumer information.

Two key standards that find their way into the “blogversation” are the ISO 27001 and PCI-DSS. ISO 27001 is a management standard that focuses on information security. ISO 27001 defines conditions for the formation, implementation, monitoring and appraisal, maintenance and enhancement of a management system for managing an organization’s information security risk (read more about ISO 27001 Certification and RM Studio).  While the Payment Card Industry Data Security Standard (PCI DSS) is an information standard defined by the Payment Card Industry Security Standards Council for organizations that possess and process cardholder information for major credit, prepaid, debit, ATM, POS and e-purse cards. PCI DSS was developed in order to implement controls around cardholder information to reduce fraud as a result of disclosure of the information.

pic_2

Mitigating Controls for Risk Management

Mitigating controls are the key to reducing threats to assets, in regards to risk management. These mitigating controls can be found within standards, such as ISO/IEC 27001, and suggest measures to take in order to reduce risk to an organization’s assets. In this blog post we will be covering threats, assets and mitigating controls as well as the connections between those three in RM Studio.

It is important to understand what each item is in regards to risk management. We have defined Assets, Threats, and Mitigating Controls below:

Assets: Assets are any tangible or intangible economic resources which can be owned or used to produce value.

Threats: A threat is an act, which may be man-made, accidental or an act of nature, which can cause potential harm.

Mitigating Controls: Mitigating controls are put in place to reduce either the probability or consequences of a threat.

TomTom Development Germany has signed an agreement to use RM Studio

TomTom Business Solutions is the division of TomTom NV dedicated to commercial vehicle fleets, founded in 2005 when they introduced an out-of-the-box fleet management solution. Today, they […]

Customizable Features and Functions within RM Studio

RM Studio is risk management software used by all types of organizations on a global scale. While RM Studio is an ideal solution for users looking to obtain ISO 27001, ISO 14001 and/or ISO 9001 certification, specifically for completing the required risk assessment, gap analysis, developing a risk treatment plan, and completing reports such as the Statement of Applicability, RM Studio’s functionalities go far beyond these standards.

RM Studio is an industry leading solution for risk assessments of all types; thanks to the customizations user can implement and deploy. These customization functions are simple to use and allow for users to address unique needs and ever-changing market demands. Areas you can customize include:

TNT and BÜROTEX Synargos have signed agreements with Stiki to use RM Studio

TNT N.V., more commonly known as TNT, is an international delivery services company with headquarters in Hoofddorp, Netherlands. In the Netherlands, TNT operates the national postal service under the name TNT Post. The group also offers postal services in eight other European countries, including the UK, Germany, Italy and Belgium. TNT's mail division recorded sales of about €4.2 billion in 2009.

BÜROTEX Synargos is an IT service provider that offers professional and efficient service in the area of data center hosting, housing, document management solutions and high information security areas. BÜROTEX focuses its activities on reducing costs and increasing the competitiveness of clients through the consistent use of both innovation and modern information technologies.

Spreadsheet Program Manual Risk Management: Masked Nemesis of Risk Management

The benefits of using risk management software as opposed to Spreadsheet Programs

*Updated January, 2014*

Who doesn’t love using Spreadsheet Programs? What else would you use to create and plan your family budget, create and analyze production statistics, and manage organizational risks? Wait, what was that? Risk management using spreadsheets? Some of you may be scratching your head pondering if that is an inexpensive, viable business solution to risk management, while others of you are convincing yourself that it does work and you are preventing risk with the best tool available to you.

RM Studio: A tool for threat identification and analysis

We talk a lot about the risk management processes and utilizing RM Studio for a holistic approach to your risk management and business continuity management needs throughout our website. For this post we felt it would be useful to provide an example of how RM Studio can assist in more specific ways and as a tool with other uses in regards to risk assessment.

How much time does it take to get ISO Certified?

One of the overarching questions regarding the various ISO certifications is the timeline involved . The answer to this question is one that is not always easy to swallow, both for security managers and top management. The time, money and effort that are required can vary based on the organization seeking certification.

Note: For the benefits on ISO 27001 Certification, see our post on the Benefits of ISO 27001 Certification.

Benefits of ISO 27001 Certification

While some organizations are required to comply with ISO 27001 standards and must implement them, other organizations make the choice internally to implement ISO 27001 standards. These organizations sometimes struggle with weighing the benefits against the perceived burdens of investing in the certification. Though certification does take effort, implementing ISO 27001 standards should not be viewed as a burden; rather as opportunity for improvement and continuous strive towards operational excellence, as well as a business decision that results in a positive return on investment.

Risk Management Studio Ideology

RM Studio lets you deploy an integrated risk management framework from one centralized system that provides accurate outputs for higher quality business decision making.

Cultivating a Risk Aware Culture

A security manager’s toughest task is to help build a culture of awareness in regards to the risks threatening the organization. The term risk-aware culture is commonly discussed in organizations working to establish an information security management system. The International Standards for the ISO 31000 framework are very clear on the expectations of an organization‘s risk-aware culture and in order to pass the certification process for ISO 27001, the organization must establish a visible environment and culture that cultivates risk awareness.

What is a risk-aware culture?

BYOD – Advantage of Smart Organizations

Everybody‘s doing it these days, that is Bring Your Own Device to work (BYOD). The vast majority of business professionals working today have some type of smart phone, tablet, or laptop; many of us have and use all three on a daily basis.

Is this a question of if employers want to allow employees to use personal devices for work tasks or if employees are demanding the option based on convenience and personal preference?

RM Studio Version 4.5 Released

We have released RM Studio version 4.5 today that includes several great additions and a few necessary subtractions. Our latest updates include: A brand new Control Maturity […]

Cyber Security Risk Management

Everyone in the organization is responsible for intelligent decision making regarding information security requires a high quality security culture to be established and everyone contributing regularly.

Cloud Computing: Thunderstorms and Rainbows

Cloud computing and data storage technologies have increased in popularity over the past few years. This is due mainly to small- and medium-sized businesses 'flying into the cloud' solutions to improve business capabilities and backup critical data. The explosion of the web-based applications for mobile devices has also impacted the dramatic expansion of cloud computing vendors in the market. The belief that 'the cloud' is a safer and a more secure business solution, when compared to traditional storage devices, such as in-house servers or simple external HDDs, benefits the data solution centers as well. The cloud computing industry is expecting an even larger demand for its services from the data being created by the increasing quality of our video and image capture technologies, as well as the need to share our lives around the world.

Preventing Intellectual Property Theft Through Risk Management

We have seen it the movies, read about it in best selling novels, and heard about it in the news. The employee steals company data and uses it for unintended purposes, sometimes for good, sometimes for evil. From the movie Office Space, where a change in management brings a reduction of labor, which inspires three co-workers to upload a virus into the companies database. The purpose of the virus is to steal tiny fractions of cents left over from complex interest percentage calculations and send them to an anonymous bank account. To the idea of the movie Paycheck, where the main character is a reverse engineer specialist, who is hired by companies to steal a competitor‘s latest tech designs to copy and make a competing product.

VoIP: A New Era in Threats, Part 3

Countermeasures and Penetration Testing

In our previous two posts on this topic we discussed the threats to using VoIP. The following post discusses ways you can mitigating these threats.

If VoIP is to successfully replace PSTN some measures need to be taken in order to approach the reliability that PSTN offers. It’s somewhat unrealistic to demand PSTN’s 99,999% availability for VoIP, since IP based systems are exposed to larger threat pool than public switched ones, but there are actions available that can significantly reduce phishing and spoofing threats involved with VoIP. 

VoIP: A New Era in Threats, Part 1

Over the last decade VoIP has become increasingly popular, with service providers gaining millions of subscribers each year. However, VoIP is an inexperienced platform, which translates into millions of subscribers being exposed to new phishing and spoofing threats annually.

Are you exposed to these threats?

The broad spectrum of information security

In this rapidly changing world, well-organized, precisely documented and secure information systems are vital for any successful operation. It is equally important to work within strictly defined frameworks while retaining the flexibility to deliver the level of security required by your organization.

Organizations can improve efficiency and strengthen their reputation by focusing on information security and quality management.

Information security – management standards in a professional business environment

Demand for information security has increased in both the private and the public sector. The Financial Supervisory Authorities in various countries have recommended their fellow organizations to ensure information security in their sectors. The law regarding the protection of privacy (The Date Protection Authority) requires the persons who hold personal information to ensure their security appropriately.

Standards for information security management 

ISO has in recent years issued several safety standards in the series ISO / IEC 2700x. These are all standards of management information and specific aspects such as risk assessment. The standards deal with the best practice of information security management and the certification standard ISO / IEC 27001 is the specification for information security management systems.

Doomsday Preppers, Risk Management and Business Continuity?

Recently, I stumbled upon the show Doomsday Preppers. The show highlights three or four groups of people who are preparing for a separate catastrophic event that will change the world as we know it. Though the event they are preparing for differs, the approach to planning their survival is often the same. As I watched, I started thinking "These folks have the concept of risk management and continuity figured out." This article focuses on the concepts of risk management and continuity planning and what doomsday preppers can teach us about these concepts.

Risk Lessons from an Entrepreneur

Having written about risk for 12 years and having run my own business for a few decades, I've seen the same risk sins committed time and again by business owners. Some I've committed. Others I've watched play out from the sidelines.

If I've learned anything from owning my own business, it's how rampant risks are and how devastating they can be if ignored indefinitely. Many of my colleagues avoid buying even the most basic business insurance policy, but the greater risks lie well beyond what's spelled out in the coverage details.

Here are some of the more common oversights that threaten small businesses:

Audit Trail: A Common Mistake

Often times, our clients we assist with establishing an ISMS are surprised to hear that the Audit Trail requirement is something that should be considered prior to the actual audit. The goal of an Audit Trail is to have all of the information regarding your ISMS audit organized and ready to be presented to the auditor. In this post we cover a common mistake in the preparation of an audit and a solution on how to ensure all your hard work is organized for an audit.

What is an Audit Trail?

Riphah International University receives grant from RM Studio

Riphah International University has been awarded a grant valued at $42,000 annually to utilize RM Studio with an objective of expanding the global awareness of Information Security and Risk Management and build the capacity of Riphah to impart quality education of international standards. Through the partnership RM Studio will be integrated in the undergraduate and postgraduate curricula of the university to supplement theoretical learning with hands-on practical skills. (The International News: Riphah signs MoU with Stiki)

Cloud Computing and Security Concerns

Modern computing is increasingly becoming a shared resource. In the past, if an individual required access to an application, he or she would have to personally have it installed on the user's computer. Today, with the help of cloud computing, applications can be shared and accessed by various users from all around the world without requiring individual set-up.

Cloud computing is commonly defined as, "the provision of dynamically scalable and often virtualized resources as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them. Cloud computing services often provide common business applications online that are accessed from a web browser, while the software and data are stored on the servers."

This post examines cloud computing and the security concerns that arise through its use. We address potential security concerns and provide you with the questions you should be asking cloud service providers.

Information Security Risk Management

The Information Security Risk Management Process with RM Studio

The RM Studio: Assessment and Treatment Module guides you through the Risk Assessment, Gap Analysis, and Risk Treatment process for your organization as described in ISO 27001.

Establishing the Risk Management Context
Prior to starting the risk management steps, RM Studio guides you through the Business Entity, Asset, and Threat Identification process. RM Studio comes equipped with a Threat Library of nearly 150 unique Threats specific to information security risk management. Further, RM Studio automatically links Assets, Threats, and ISO 27001 Mitigating Controls through RM Studio's Category feature. This feature removes the guesswork and saves you time in the risk management process.

Physical Security: Closing the gap at minimal cost

Physical security has been on our minds recently here at RM Studio. We have found that there is often disconnect between information security and the role physical security plays. In assisting our clients we have found that there are times when clients want to close physical security gaps by adding large cost to the organization. This post focuses on finding the gaps in physical security and addressing them at minimal cost while still protecting and securing information.

The Risk of the Unhappy Employee

For whatever reason, there is generally someone who is not happy with their current job, their place of employment, or job title. When unhappy with their current employment situation, risks are introduced to the organization form this unsatisfied employee. It is important that risk managers and organizational leaders recognize these threats, and similar to all threats implement, mitigating controls and objectives to prevent the risk from becoming actual threats. This post examines example risks that are raised and suggest ways to prevent the unhappy employee from damaging an organization.

Risk Management and Groupthink

When managing risk, we must consider all risk from all sources. A majority of the time identifying risk is trusted to a few individuals, although determining which risks are the highest priority is done in a collaborative environment, with managers, teams and groups of colleagues discussing the issues at hand. In this setting, it is important that the risk manager (the one whose job depends on the risk management results) recognizes and prevents any instances of groupthink.

Groupthink occurs when groups make decisions, and are willing (or unknown to the group) to take more risk than an individual would themselves. This post provides a general overview of causes and symptoms of groupthink, as well as measures that can be taken to avoid groupthink.

*Updated January 2014*

Mobile Devices and Information Security Risk Management

Mobile devices such as smartphones and tablets have found their way into everyday task for professionals. More and more software is available in mobile application form, and organizations are utilizing the convenience offered by having their staff always connected. Though there are many benefits associated with having said connectability, new threats are introduced into the enterprise environment. The following post highlights threats that exist and steps you can take to secure your mobile devices.

The ISO 27001 information security standard recommends the development of a formal policy that introduce appropriate security measure to protect against threats related to mobile devices. The Standard suggests implementing a policy that addresses physical protection, access controls, cryptographic techniques, back-ups, and virus protection.

The Seven Habits of Highly Effective Risk Managers

It is a given that a risk manager must be analytical, precise, cautious and results driven. Risk managers are often seen as the gatekeepers to decisions and often associated with the word "No." We challenge this perception and suggest

Enterprise Risk Management: It is present in your organization, why not formalize it?

Organizations manage risk by nature, whether it is through a formal enterprise risk management (ERM) process or in an informal manner. Every time your organization's board of directors or top management determines a strategy or makes a decision regarding business objectives, it is implementing the principles of ERM. This article examines informal decision making processes and how they naturally follow the principles of ERM. The article suggests that in order to protect stakeholders, formalized ERM process should be put in place.

Black Swans Cost and Prediction

It serves an organization better to focus on the results and consequences of a back swan and develop a business continuity and recovery plan (BCP), as opposed to attempting to predict its occurrence.

ISO 27001 – Information Security Management System

The ISO 27001 standard includes multiple controls and control objectives aimed at ensuring the security of information in regards to the confidentiality, integrity, and availability of data.

Creating Custom Evaluation Templates in RM Studio

One of the value adding features of RM Studio is the ability to create your own custom Evaluation Templates. RM Studio comes equipped with two Evaluation Templates that are developed based on ISO 27001 methodology.

The Evaluation Template is used to qualitatively evaluate threats and assets in RM Studio. The Evaluation Templates within RM Studio can be tailored to each user's unique needs. The default value settings for each factor are: Low (1), Medium (2), High (3), Very High (4), and Immense (5). These factors were developed to comply with the ISO/IEC 27001 standard.

Assessing and Establishing Your Risk Management Policy

Whether you are in the early stages and developing your organization's risk management policy, or you are assessing the performance of your current risk management policy, it is a prudent practice to evaluate the administration of your risk management policy. This article reviews the key success factors to administrating an effective and efficient risk management policy.

Risk Management Takes a Top Down, Bottom Up Approach

Hands down, the most critical aspect of a successful risk management policy is senior management commitment to the program. Just behind this in a close second place, is commitment from the organizations employees. To have a successful risk management policy, a top down, bottom up approach is required.

When this approach is put in place, you will recognize the following characteristics or key success factors within your risk management policy.

Risk Management: Back to the Basics, Part 3

 

Gap Analysis and Risk Treatment

Introduction

Now that you have completed the risk analysis, the next steps are performing a gap analysis and the risk treatment process. This article provides a simplified framework for completing these steps.

Gap Analysis

A gap analysis is the evaluation process of the status of mitigating controls. The purpose of a gap analysis is to gain an understanding of the management system in question in regards to the risk management process. Further, it provides you with an overview of where the management system will be in the future. That is to say, the gap analysis shows you where you are in relationship to where you would like to be. A gap analysis is often used in the audit process, both internally and externally, as the gap analysis provides a bird's eye view of the control implementation and risk management process status.

Risk Management: Back to the Basics, Part 2

Part 2: Risk  Criteria and Risk Assessment

Introduction:

After determining the business entity, identifying assets and threats, the next step in the risk management process is to complete a risk assessment. The following article provides simplified guidelines for the risk assessment process.

Definitions

Risk Criteria: Risk criteria can be defined as the point of reference which the implication of a risk is evaluated.

Risk Assessment: Risk Assessment is the overall process of risk identification, analysis and evaluation.

Risk Criteria

The first step in the risk assessment process is to determine the evaluation criteria for assets and threats. The evaluation criteria can be based on legal and regulatory requirements, the risk management policy set forth by your organization, as well as international standards. Risk criteria should be reviewed continuously to ensure its alignment with the aforementioned factors. As organizational objectives, regulatory requirements, or international standards change, so should risk criteria.

Risk Management: Back to the Basics

Part 1: Why Risk Management and Where to Start

Introduction: Why Risk Management?

Organizations, whether a SME or multi-national corporation face internal and external factors that make reaching their business objectives uncertain at best. This effect of uncertainty on objectives is widely defined as risk. Organizations face risk in all activities and therefore should establish a systematic approach to properly managing risk effectively. Risk management should be approached in a similar manner as any other business process. Your organization has defined it sales process for success, why not define a risk management process with the same goal in mind? Organizations can only succeed and grow through effective and successful risk taking. This article covers the basics of risk management and how to approach the process in a systematic manner.

Risk Management and Social Engineering

As risk manager you have setup a system that protects your data from outside attackers and you have secured your premises with all the latest advancements. However, there is a threat that can break through all the fences, social engineering.

We covered this topic in a previous post regarding physical security. In our example, a gentleman dressed as a technician was able to penetrate a bank and install a device to steal data. How was he able to do this? He utilized social engineering.

Social engineering in the context of security, is “art” of manipulating people into executing actions or disclosing confidential information. Social engineers will use tactics that tap into the human psyche and emotions of the victim. Using tactics as simple as posing as a co-worker who forgot their access badge or sending malicious links via Facebook to gain access to buildings or data.

Risk Management and Human Resources: After Employment

Similar to the “during employment” phase, risk managers should collaborate with the human resource department after an employee is terminated or changes employment. Of the three phases of risk management and human resource collaboration, the after employment phase is the most logical.

It is important that you address the risk associated with terminating an employee. This process can introduce threats to the organization on multiple levels, including information security, physical security, as well as reputation, to name a few. When employees leave your organization, or transfer to a new department, it is important to ensure the exit process is handled in a systematic manner. The human resource department should work with the risk management team to develop processes that ensure the return of all assets and equipment, as well as the removal of access rights.

Reputation Risk Management: An Introduction

An organization’s reputation can be viewed as a driving force for success, a driving force which is complex and difficult to define. Without a positive reputation, potential customers and clients are wary to invest in or do business with a company in which they are uncertain in the quality of products and/or services provided by the company. A reputation for sound business and quality services is a necessity for doing business; it is the key that unlocks the door to opportunities for growth. Without this key, businesses become stagnant and never reach the high performing level. While it may be difficult to state precisely what it is, reputation is recognized as one of the cornerstones of a successful business.

“It takes 20 years to build a reputation and 5 minutes to ruin it. If you think about that you will do things differently.” – Warren Buffett

Risk Management and Reputation

The Bird-Man: What he can teach us about Risk Management and Human Resources

Risk management, as it relates to human resources, can be broken down into three phases: prior to employment, during employment, and after employment. In this article we take a look at the relationship of the human resources department's hiring process and the potential risks involved for risk managers. 

On March 20, 2012 Jarno Smeets, a.k.a. The Bird-Man, posted a video of himself flying with a winged contraption. This accomplishment (soon after Smeets admitted this is a hoax and 'online storytelling' ) in and of itself was an amazing feet and a brilliant piece of cinematography, but we are here to talk about risk management.

The Relationship Between Risk Management and Business Continuity Management

We often see discussions about and hear of clients segregating risk management and business continuity into two separate silos. When we have worked with organizations who have a risk manager (or similar job title) and a business continuity manager, we are surprised how often the two do not work together.·This is usually a good starting point when assisting clients and users of our solutions as a means of simplifying the risk management and business continuity management process.

Nourishing the interconnectedness of the two managers’ roles allows for the development of effective and efficient risk management and business continuity management programs. We see this as a vital relationship as we come from the school of thought that effective business continuity proficiency is found through adequately managing risks. On the flip side of this statement, we feel that risk cannot be effectively managed without a proper business continuity plan and strategy for recovery in place.

How many business continuity and recovery plans should you have?

A vital part of business continuity management is the recovery plan. One question we often get when discussing the development of business continuity and recovery plans, is whether to have multiple plans or to try and produce one plan that caters to all situations. To this question, as with almost all questions regarding risk management, it depends on the organization and the internal risk management culture.

The great minds at the Massachusetts Institute of Technology have developed a single plan. The Business Continuity and Recovery Plan presented by MIT focuses on the recovery in the event of a disaster. The plan covers the details and processes for the path to recovery. In the opinion of the security experts at MIT, this single plan is enough.

How much do you spend on testing vulnerabilities?

Testing vulnerabilities in your ISMS is a vital practice to ensure your system is adequate to protect your information. Every week we hear about security breaches worldwide and the increased exposure of the IT vulnerabilities we all face. We now pose the following questions.

  • How much of your annual security budget is allocated for vulnerability testing?
  • Do you have enough of the budget for properly testing vulnerabilities?

For Google, that amount was $1 million over just a few days in 2012 (for more details on this story click here).

Physical Security and Its Role in Information Security Management Systems

Our team is always on the lookout for new topics and concerns within the realm of information security. One of our team members recently came across an interesting article The Little White Box That Can Hack Your Network on www.wired.com. The article discusses a recent penetration test at multiple branches of a bank using a small computer called a Pwn Plug that simply plugs into a power outlet and the network. Once deployed the Pwn Plug releases its hacking tools. Dressed as a technician, Jayson Street was able to successfully penetrate four banks without a single issue.

This article brings attention to the point of what information security is holistically, and its ever changing nature. To many people, information security brings up images of hackers in a dark room surrounded by monitors and energy drinks, sending spam emails or attempting to hack into government networks. However, information security has a far reaching perimeter in that information security deals with everything from strong passwords, to the physical security of a building.

Information Security and the Gaming Industry

With the recent increase in attacks against game developers, information security is making its way into the headlines more than ever. A quick Google search on the topic brings up a plethora blogs about these incidents. The blogs which caught our attention were those questioning the compliance of the game developers to international standards that specifically protect consumer information.

Two key standards that find their way into the “blogversation” are the ISO 27001 and PCI-DSS. ISO 27001 is a management standard that focuses on information security. ISO 27001 defines conditions for the formation, implementation, monitoring and appraisal, maintenance and enhancement of a management system for managing an organization’s information security risk (read more about ISO 27001 Certification and RM Studio).  While the Payment Card Industry Data Security Standard (PCI DSS) is an information standard defined by the Payment Card Industry Security Standards Council for organizations that possess and process cardholder information for major credit, prepaid, debit, ATM, POS and e-purse cards. PCI DSS was developed in order to implement controls around cardholder information to reduce fraud as a result of disclosure of the information.

pic_2

Mitigating Controls for Risk Management

Mitigating controls are the key to reducing threats to assets, in regards to risk management. These mitigating controls can be found within standards, such as ISO/IEC 27001, and suggest measures to take in order to reduce risk to an organization’s assets. In this blog post we will be covering threats, assets and mitigating controls as well as the connections between those three in RM Studio.

It is important to understand what each item is in regards to risk management. We have defined Assets, Threats, and Mitigating Controls below:

Assets: Assets are any tangible or intangible economic resources which can be owned or used to produce value.

Threats: A threat is an act, which may be man-made, accidental or an act of nature, which can cause potential harm.

Mitigating Controls: Mitigating controls are put in place to reduce either the probability or consequences of a threat.

TomTom Development Germany has signed an agreement to use RM Studio

TomTom Business Solutions is the division of TomTom NV dedicated to commercial vehicle fleets, founded in 2005 when they introduced an out-of-the-box fleet management solution. Today, they […]

Customizable Features and Functions within RM Studio

RM Studio is risk management software used by all types of organizations on a global scale. While RM Studio is an ideal solution for users looking to obtain ISO 27001, ISO 14001 and/or ISO 9001 certification, specifically for completing the required risk assessment, gap analysis, developing a risk treatment plan, and completing reports such as the Statement of Applicability, RM Studio’s functionalities go far beyond these standards.

RM Studio is an industry leading solution for risk assessments of all types; thanks to the customizations user can implement and deploy. These customization functions are simple to use and allow for users to address unique needs and ever-changing market demands. Areas you can customize include:

TNT and BÜROTEX Synargos have signed agreements with Stiki to use RM Studio

TNT N.V., more commonly known as TNT, is an international delivery services company with headquarters in Hoofddorp, Netherlands. In the Netherlands, TNT operates the national postal service under the name TNT Post. The group also offers postal services in eight other European countries, including the UK, Germany, Italy and Belgium. TNT's mail division recorded sales of about €4.2 billion in 2009.

BÜROTEX Synargos is an IT service provider that offers professional and efficient service in the area of data center hosting, housing, document management solutions and high information security areas. BÜROTEX focuses its activities on reducing costs and increasing the competitiveness of clients through the consistent use of both innovation and modern information technologies.

Spreadsheet Program Manual Risk Management: Masked Nemesis of Risk Management

The benefits of using risk management software as opposed to Spreadsheet Programs

*Updated January, 2014*

Who doesn’t love using Spreadsheet Programs? What else would you use to create and plan your family budget, create and analyze production statistics, and manage organizational risks? Wait, what was that? Risk management using spreadsheets? Some of you may be scratching your head pondering if that is an inexpensive, viable business solution to risk management, while others of you are convincing yourself that it does work and you are preventing risk with the best tool available to you.

RM Studio: A tool for threat identification and analysis

We talk a lot about the risk management processes and utilizing RM Studio for a holistic approach to your risk management and business continuity management needs throughout our website. For this post we felt it would be useful to provide an example of how RM Studio can assist in more specific ways and as a tool with other uses in regards to risk assessment.

How much time does it take to get ISO Certified?

One of the overarching questions regarding the various ISO certifications is the timeline involved . The answer to this question is one that is not always easy to swallow, both for security managers and top management. The time, money and effort that are required can vary based on the organization seeking certification.

Note: For the benefits on ISO 27001 Certification, see our post on the Benefits of ISO 27001 Certification.

Benefits of ISO 27001 Certification

While some organizations are required to comply with ISO 27001 standards and must implement them, other organizations make the choice internally to implement ISO 27001 standards. These organizations sometimes struggle with weighing the benefits against the perceived burdens of investing in the certification. Though certification does take effort, implementing ISO 27001 standards should not be viewed as a burden; rather as opportunity for improvement and continuous strive towards operational excellence, as well as a business decision that results in a positive return on investment.

Risk Management Studio Ideology

RM Studio lets you deploy an integrated risk management framework from one centralized system that provides accurate outputs for higher quality business decision making.