there’s a bright side. Your clients al-
ready have the resources they need
to solve the problem; it’s a matter of
coordinating those resources and
getting information collected by one
group to another group that needs it.
A risk-based approach is designed
to do exactly this. It enables manage-
ment to create transparency across
departments, while assigning account-
ability and fostering engagement from
each department as necessary.
These attributes, in combination
with federal requirements that orga-
nizations either maintain records of
effective risk management or disclose
their ineffectiveness to stakeholders,
are strong incentives to adopt a risk-
based approach. Here’s the steps to
getting there:
Step 1: Create a security policy
What needs to be done first? The
process starts when you draft a secu-
rity policy that meets the customer’s
standards. End users (i.e. employees)
must then meet those standards –
such as password requirements and
access rights reviews – by a particular
date. The majority of organizations
already have such a policy. Designing
it takes time, but it’s usually straight-
forward and standard practice.
The actual implementation of the
policy usually ends up being the bot-
tleneck. Without implementation and
monitoring of its line items, a policy is
merely a piece of paper or electronic
document made with good intentions
but still ineffective. Thus, if you cre-
ate a strong policy but the customer
doesn’t operationalize it, they won’t
realize a benefit. In order to opera-
tionalize new passwords and access
rights standards/requirements, secu-
rity needs both expertise and an ERM
system to reach all process owners
throughout the organization.
Step 2: Identify
password-protected assets
Every department – security, com-
pliance, audit, operations and cus-
tomer-facing roles – relies on certain
applications and devices. With the
decentralization of IT in recent years,
it’s not possible for security – without
governance over asset management
– to verify every asset meets policy
requirements. What’s more, security
doesn’t even know a majority of those
applications exist, or which employ-
ees have access to them. With this in
mind, how can the organization verify
all loose ends are tied up?
Using ERM, the client’s finance
department becomes part of the
answer. Finance handles budgets
and billing, which includes oversight
of the acquisition of all devices, ap-
plications and services used by the
company. An ERM system acts as the
bridge between security and finance.
Without the transparency afforded by
the system, how can security ben-
efit from a master asset list used by
both groups? Once that connection
is made, it’s clear the necessary in-
formation already exists, just in a dif-
ferent department. Security can then
push out a notifications using the
common asset list.
Step 3: Engage all relevant
process owners, creating
accountability across
departments
Access management policy blind-
ness is a big barrier to shoring up
cyber vulnerabilities. As mentioned
above, security can’t possibly see
this initiative through to completion
without help. This is where process
owners, or managers across depart-
ments, come into play.
Much as ERM assists with in-
formation gathering, it also assists
with the designation and automation
of tasks. When managers in each
department receive a notification
that they must have all employees
change their passwords and review
access rights, they can do so quickly
and easily. Thanks to their proximity
to each asset, process owners are
uniquely equipped to operationalize
a particular piece of your security
policy. This automates the reporting
on which tasks have been completed
and which are outstanding, making
it easy for security to identify who to
follow up with.
Step 4: Repeat this process of
engagement and accountability
with third parties
The Wendy’s data breach is an
example of what can happen when
third parties aren’t held to the
same standards your own depart-
ments are. In this case, Wendy’s
suffered a breach in more than
1,000 of its franchised locations,
but no company-owned locations
were affected.
Company stores weren’t affected
because Wendy’s adhered to ef-
fective cybersecurity practices. Its
mistake was not maintaining a poorly
designed policy or relying on obsolete
technologies. Its mistake was failing
to operationalize that policy across its
third parties. Wendy’s failed to con-
firm that step 4, creating and follow-
ing up on third-party accountability,
was completed adequately.
With a risk-based approach,
security can identify all the orga-
nization’s third-party relationships,
which vendors have access to sen-
sitive information, and finally, which
parties at the company are in con-
tact with those vendors. Now, the
compliance team can be pulled into
the process (again via automatic
notifications). Once compliance
confirms that vendor contracts have
been modified and enacted appro-
priately, the security team has con-
firmation that the board’s policy has
been fully operationalized.
ERM makes this possible by
defining roles, responsibilities and
relationships across departments; as-
signing each role a manageable com-
ponent with clear accountability; and
automating the process with tasks,
notifications and reports to monitor
policy adherence
Above all, enterprise risk manage-
ment automatically creates a his-
torical record of your security efforts,
allowing you to report to your clients
what’s being done to prevent breach-
es on a day-to-day basis.
o
Steven Minsky is CEO of Logic-
Manager, a provider of enterprise risk
management software.
May - June, 2017
|
Channel
Vision
73