there’s a bright side. Your clients al-

ready have the resources they need

to solve the problem; it’s a matter of

coordinating those resources and

getting information collected by one

group to another group that needs it.

A risk-based approach is designed

to do exactly this. It enables manage-

ment to create transparency across

departments, while assigning account-

ability and fostering engagement from

each department as necessary.

These attributes, in combination

with federal requirements that orga-

nizations either maintain records of

effective risk management or disclose

their ineffectiveness to stakeholders,

are strong incentives to adopt a risk-

based approach. Here’s the steps to

getting there:

Step 1: Create a security policy

What needs to be done first? The

process starts when you draft a secu-

rity policy that meets the customer’s

standards. End users (i.e. employees)

must then meet those standards –

such as password requirements and

access rights reviews – by a particular

date. The majority of organizations

already have such a policy. Designing

it takes time, but it’s usually straight-

forward and standard practice.

The actual implementation of the

policy usually ends up being the bot-

tleneck. Without implementation and

monitoring of its line items, a policy is

merely a piece of paper or electronic

document made with good intentions

but still ineffective. Thus, if you cre-

ate a strong policy but the customer

doesn’t operationalize it, they won’t

realize a benefit. In order to opera-

tionalize new passwords and access

rights standards/requirements, secu-

rity needs both expertise and an ERM

system to reach all process owners

throughout the organization.

Step 2: Identify

password-protected assets

Every department – security, com-

pliance, audit, operations and cus-

tomer-facing roles – relies on certain

applications and devices. With the

decentralization of IT in recent years,

it’s not possible for security – without

governance over asset management

– to verify every asset meets policy

requirements. What’s more, security

doesn’t even know a majority of those

applications exist, or which employ-

ees have access to them. With this in

mind, how can the organization verify

all loose ends are tied up?

Using ERM, the client’s finance

department becomes part of the

answer. Finance handles budgets

and billing, which includes oversight

of the acquisition of all devices, ap-

plications and services used by the

company. An ERM system acts as the

bridge between security and finance.

Without the transparency afforded by

the system, how can security ben-

efit from a master asset list used by

both groups? Once that connection

is made, it’s clear the necessary in-

formation already exists, just in a dif-

ferent department. Security can then

push out a notifications using the

common asset list.

Step 3: Engage all relevant

process owners, creating

accountability across

departments

Access management policy blind-

ness is a big barrier to shoring up

cyber vulnerabilities. As mentioned

above, security can’t possibly see

this initiative through to completion

without help. This is where process

owners, or managers across depart-

ments, come into play.

Much as ERM assists with in-

formation gathering, it also assists

with the designation and automation

of tasks. When managers in each

department receive a notification

that they must have all employees

change their passwords and review

access rights, they can do so quickly

and easily. Thanks to their proximity

to each asset, process owners are

uniquely equipped to operationalize

a particular piece of your security

policy. This automates the reporting

on which tasks have been completed

and which are outstanding, making

it easy for security to identify who to

follow up with.

Step 4: Repeat this process of

engagement and accountability

with third parties

The Wendy’s data breach is an

example of what can happen when

third parties aren’t held to the

same standards your own depart-

ments are. In this case, Wendy’s

suffered a breach in more than

1,000 of its franchised locations,

but no company-owned locations

were affected.

Company stores weren’t affected

because Wendy’s adhered to ef-

fective cybersecurity practices. Its

mistake was not maintaining a poorly

designed policy or relying on obsolete

technologies. Its mistake was failing

to operationalize that policy across its

third parties. Wendy’s failed to con-

firm that step 4, creating and follow-

ing up on third-party accountability,

was completed adequately.

With a risk-based approach,

security can identify all the orga-

nization’s third-party relationships,

which vendors have access to sen-

sitive information, and finally, which

parties at the company are in con-

tact with those vendors. Now, the

compliance team can be pulled into

the process (again via automatic

notifications). Once compliance

confirms that vendor contracts have

been modified and enacted appro-

priately, the security team has con-

firmation that the board’s policy has

been fully operationalized.

ERM makes this possible by

defining roles, responsibilities and

relationships across departments; as-

signing each role a manageable com-

ponent with clear accountability; and

automating the process with tasks,

notifications and reports to monitor

policy adherence

Above all, enterprise risk manage-

ment automatically creates a his-

torical record of your security efforts,

allowing you to report to your clients

what’s being done to prevent breach-

es on a day-to-day basis.

o

Steven Minsky is CEO of Logic-

Manager, a provider of enterprise risk

management software.

May - June, 2017

|

Channel

Vision

73