Discussion
sandeep545INFORMATION GOVERNANCE
Chapter 4
Information Risk Planning and Management
Copyright Omar Mohamed 2019
1
1
CHAPTER GOALS AND OBJECTIVES
Be able to outline the progressive steps involved in developing an information risk management plan
Know what is meant by “risk” and a “risk profile”
Know the different ways one would go about creating a risk profile
Know how one would go about conducting a risk assessment
Know what an information risk mitigation plan is
Copyright Omar Mohamed 2019
2
2
What is the purpose of Information Risk Planning?
Identify potential risks to information
Weighing risks against each other
Creating strategic plans for risk mitigation
Creating policies
Develop Metrics
Applying metrics to measure progress
Audit and feedback
Copyright Omar Mohamed 2019
3
3
Steps in Information Risk Planning and Management
Step 1: Survey and Determine Legal and Regulatory Applicability and Requirements
Step 2: Specify IG Requirements to Achieve Compliance
Step 3: Create a Risk Profile
Step 4: Perform Risk Analysis and Assessment
Copyright Omar Mohamed 2019
4
Step 5: Develop an Information Risk Mitigation Plan
Step 6: Develop Metrics and Measure Results
Step 7: Execute The Risk Mitigation Plan
Step 8: Audit the Information Risk Mitigation Program
4
Step 1: Survey and Determine Legal and Regulatory Applicability and Requirements
Conduct Legislative Research-Legal requirements trump all other requirements
Identify the jurisdictions(s) where the company operates
Federal
Provincial (international)
State
Municipal
Approaches to legal research for retention, privacy and security laws:
Records retention citation service (Example: FILELAW®)
Use online Print resources (Example: Code of Federal Regulations “CFR”)
Copyright Omar Mohamed 2019
5
5
Step 2: Specify IG Requirements to Achieve Compliance
Compile list of external compliance requirements
Map data, document, and records to external compliance requirements
Devise a method of keeping legal and records management staff apprised of changes in regulations
Reconcile Internal IG retention requirements with external compliance requirements
Copyright Omar Mohamed 2019
6
6
Step 3: Create a Risk Profile
“RISK” – Effect of uncertainty on objectives1
“RISK PROFILE” – Description of a set of risks2
A part of Enterprise Risk Management
Considerations for creating a Risk Profile
Frequency
External Resources
Stakeholders
ISO 31000 2009 Plain English, Risk Management Dictionary”, www.praxiom.com/iso-31000-terms.htm
Included in Risk Profile
Identification, documentation, assessment and prioritizing risk that an organization may face in pursuing a business objective
Timeline:
Projections 3 to 5 years into future
Create annually
Updated or reviewed semiannually
Copyright Omar Mohamed 2019
7
7
Step 3..Continued
Types of Risk Profile Methodology
Top-10 list-simple listing and ranking of top 10 risks in relation to the objective
Risk Map – Visual tool, easy to grasp, grid depiction of a likelihood axis and impact axis-Generally rated on a 1 to 5 scale
Heat Map-color coded matrix generated by stakeholders voting on risk by color (red is highest risk)
Copyright Omar Mohamed 2019
8
8
Step 3..Continued
Information Gathering for Risk Profile
Surveys
Person-to-Person Interviews
Give interviewees questions in advance
Schedule interviews at convenient times and places
Keep interviews as short as possible
Include questions about:
Access and Security policies
Policy development
Policy adherence
Retention of email
Legal Hold policies
Record Retention
Record destruction
Training and Communications
Consider key events and changes that will impact risk
Generate a list of risks and categorize (Example: natural disasters, regulatory, safety , competitive, etc.)
Copyright Omar Mohamed 2019
9
9
Step 4: Perform Risk Analysis and Assessment
Five steps for Risk Assessment:
Identify the risks –The output of Risk Profile
Determine Potential Impact-Include calculations for range of economic impact in dollars where available. Be as specific as possible
Evaluate Risk Levels and Probabilities and Recommend Action-Recommendations for new procedures, new processes, new investments in IT, and other risk mitigation methods
Create a Report with recommendations and implement-include risk assessment table where available, include written recommendations – implement
Review periodically-at least annually but as appropriate for your organization
Copyright Omar Mohamed 2019
10
10
Step 5: Develop an Information Risk Mitigation Plan
What is a Risk Mitigation Plan?
Plan which includes
Options to reduce specific risks and increases likelihood of achieving objectives
Tasks to reduce specific risks and increases likelihood of achieving objectives
Timetable implementation of risk mitigation measures
Milestones for implementing risk mitigation measures
Timetable/Milestones for IT acquisitions
Timetable/Milestones for assigning roles and responsibilities
Copyright Omar Mohamed 2019
11
11
Step 6: Develop Metrics and Measure Results
Assign quantitative measures that are
Meaningful
Measure progress
What are relevant metrics? – Must be relevant to your organization. Examples are:
Educe the data lost on stolen or misplaced laptops and mobile devices by ___ % over the prior year
Reduce the number of hacker intrusion events by ___ over prior year
Reduce e-discovery costs by __ % over prior year
Reduce the number of adverse findings in the risk and compliance audit by ___% over last year
Provide information risk training to __%of knowledge level workers this year
Provide confidential messaging services for the organization’s top ___ executives this year
Copyright Omar Mohamed 2019
12
12
Step 7: Execute Your Risk Mitigation Plan
Set up regular project/program team meetings
Develop Key Reports on key risk mitigation metrics
Manage the process
Use Project management tools and techniques
Clear and concise communication with the IG team on progress and status
Copyright Omar Mohamed 2019
13
13
Step 8: Audit the Information Risk Mitigation Program
Key tools in the audit process?
Metrics used to measure risk mitigation effectiveness
Use Audit results for further redevelopment and fine tuning of the risk mitigation program
Don’t misuse the audit results-Don’t use it to beat up on people-Use it for feedback and improvement
Copyright Omar Mohamed 2019
14
14
The End
Copyright Omar Mohamed 2019
15
15