Discussion

profilesandeep545
Chapter4.pptx

INFORMATION GOVERNANCE

Chapter 4

Information Risk Planning and Management

Copyright Omar Mohamed 2019

1

1

CHAPTER GOALS AND OBJECTIVES

Be able to outline the progressive steps involved in developing an information risk management plan

Know what is meant by “risk” and a “risk profile”

Know the different ways one would go about creating a risk profile

Know how one would go about conducting a risk assessment

Know what an information risk mitigation plan is

Copyright Omar Mohamed 2019

2

2

What is the purpose of Information Risk Planning?

Identify potential risks to information

Weighing risks against each other

Creating strategic plans for risk mitigation

Creating policies

Develop Metrics

Applying metrics to measure progress

Audit and feedback

Copyright Omar Mohamed 2019

3

3

Steps in Information Risk Planning and Management

Step 1: Survey and Determine Legal and Regulatory Applicability and Requirements

Step 2: Specify IG Requirements to Achieve Compliance

Step 3: Create a Risk Profile

Step 4: Perform Risk Analysis and Assessment

Copyright Omar Mohamed 2019

4

Step 5: Develop an Information Risk Mitigation Plan

Step 6: Develop Metrics and Measure Results

Step 7: Execute The Risk Mitigation Plan

Step 8: Audit the Information Risk Mitigation Program

4

Step 1: Survey and Determine Legal and Regulatory Applicability and Requirements

Conduct Legislative Research-Legal requirements trump all other requirements

Identify the jurisdictions(s) where the company operates

Federal

Provincial (international)

State

Municipal

Approaches to legal research for retention, privacy and security laws:

Records retention citation service (Example: FILELAW®)

Use online Print resources (Example: Code of Federal Regulations “CFR”)

Copyright Omar Mohamed 2019

5

5

Step 2: Specify IG Requirements to Achieve Compliance

Compile list of external compliance requirements

Map data, document, and records to external compliance requirements

Devise a method of keeping legal and records management staff apprised of changes in regulations

Reconcile Internal IG retention requirements with external compliance requirements

Copyright Omar Mohamed 2019

6

6

Step 3: Create a Risk Profile

“RISK” – Effect of uncertainty on objectives1

“RISK PROFILE” – Description of a set of risks2

A part of Enterprise Risk Management

Considerations for creating a Risk Profile

Frequency

External Resources

Stakeholders

ISO 31000 2009 Plain English, Risk Management Dictionary”, www.praxiom.com/iso-31000-terms.htm

Included in Risk Profile

Identification, documentation, assessment and prioritizing risk that an organization may face in pursuing a business objective

Timeline:

Projections 3 to 5 years into future

Create annually

Updated or reviewed semiannually

Copyright Omar Mohamed 2019

7

7

Step 3..Continued

Types of Risk Profile Methodology

Top-10 list-simple listing and ranking of top 10 risks in relation to the objective

Risk Map – Visual tool, easy to grasp, grid depiction of a likelihood axis and impact axis-Generally rated on a 1 to 5 scale

Heat Map-color coded matrix generated by stakeholders voting on risk by color (red is highest risk)

Copyright Omar Mohamed 2019

8

8

Step 3..Continued

Information Gathering for Risk Profile

Surveys

Person-to-Person Interviews

Give interviewees questions in advance

Schedule interviews at convenient times and places

Keep interviews as short as possible

Include questions about:

Access and Security policies

Policy development

Policy adherence

Retention of email

Legal Hold policies

Record Retention

Record destruction

Training and Communications

Consider key events and changes that will impact risk

Generate a list of risks and categorize (Example: natural disasters, regulatory, safety , competitive, etc.)

Copyright Omar Mohamed 2019

9

9

Step 4: Perform Risk Analysis and Assessment

Five steps for Risk Assessment:

Identify the risks –The output of Risk Profile

Determine Potential Impact-Include calculations for range of economic impact in dollars where available. Be as specific as possible

Evaluate Risk Levels and Probabilities and Recommend Action-Recommendations for new procedures, new processes, new investments in IT, and other risk mitigation methods

Create a Report with recommendations and implement-include risk assessment table where available, include written recommendations – implement

Review periodically-at least annually but as appropriate for your organization

Copyright Omar Mohamed 2019

10

10

Step 5: Develop an Information Risk Mitigation Plan

What is a Risk Mitigation Plan?

Plan which includes

Options to reduce specific risks and increases likelihood of achieving objectives

Tasks to reduce specific risks and increases likelihood of achieving objectives

Timetable implementation of risk mitigation measures

Milestones for implementing risk mitigation measures

Timetable/Milestones for IT acquisitions

Timetable/Milestones for assigning roles and responsibilities

Copyright Omar Mohamed 2019

11

11

Step 6: Develop Metrics and Measure Results

Assign quantitative measures that are

Meaningful

Measure progress

What are relevant metrics? – Must be relevant to your organization. Examples are:

Educe the data lost on stolen or misplaced laptops and mobile devices by ___ % over the prior year

Reduce the number of hacker intrusion events by ___ over prior year

Reduce e-discovery costs by __ % over prior year

Reduce the number of adverse findings in the risk and compliance audit by ___% over last year

Provide information risk training to __%of knowledge level workers this year

Provide confidential messaging services for the organization’s top ___ executives this year

Copyright Omar Mohamed 2019

12

12

Step 7: Execute Your Risk Mitigation Plan

Set up regular project/program team meetings

Develop Key Reports on key risk mitigation metrics

Manage the process

Use Project management tools and techniques

Clear and concise communication with the IG team on progress and status

Copyright Omar Mohamed 2019

13

13

Step 8: Audit the Information Risk Mitigation Program

Key tools in the audit process?

Metrics used to measure risk mitigation effectiveness

Use Audit results for further redevelopment and fine tuning of the risk mitigation program

Don’t misuse the audit results-Don’t use it to beat up on people-Use it for feedback and improvement

Copyright Omar Mohamed 2019

14

14

The End

Copyright Omar Mohamed 2019

15

15