Done right - avoiding unnecessary risk or overcompensation of controls -- the organization can evaluate its current internal controls process and determine the appropriate risk tolerance profile by:
- Determining the risks that apply to your organization:
- Risk of failing to fully comply with regulations
- Loss of intellectual property and any sensitive information
- Impact of disasters and unplanned events
- Impact of an event which adversely affects the brand image of the organization
- Gaining stakeholder feedback on impact and likelihood of these risks
- Benchmarking existing process for managing the risks identified as concerns by stakeholders
- Identifying the costs required to address the risks
- Performing a cost/risk analysis
- Prioritizing control efforts accordingly
The latter is particularly important. The complexity and granularity of controls required by auditing standards and legislation, along with the fact that IT risk management efforts are not profit drivers, make resourcing a challenge. Prioritization is not an option but a reality for those accountable for the organization's risk management.
Regulations around privacy and data protection have most often been in response to an incident. Essentially, these regulations mandate what we should be doing based on our organization's risk tolerance. The challenge with compliance regulations is there is usually no defined set of controls that you can use to determine with absolute certainty that you are compliant. It comes down to your organization's interpretation of the law vs. the auditor from the regulating body. More importantly, if you implement every control recommended for any regulation and still have a breach, you are not protected from law suits and fines from the regulating entity.
Threats exist in regulated and unregulated industries alike and not all incidents are malicious in nature.
Focusing on risk management allows you to effectively prioritize your mitigation efforts using a prioritization process. Organizations, after all, have to balance controls with operational efficiency.
The IT department's role is to assess and communicate risk related to technology. This is part of the overall business risk. The organization must then decide what is within its defined level of acceptable risk. It is important that IT does not assume this business decision. Risk management should be driven enterprise wide.
If we look at some of the major regulations, it becomes clear that simply addressing compliance does not necessarily protect the organization:
* Sarbanes-Oxley Act (SOX) requires that all publicly held companies establish internal controls and procedures for financial reporting to reduce the possibility of corporate fraud. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store or control records records; rather, it defines which records are to have internal controls and for how long.
* Payment Card Industry (PCI) compliance refers to a set of standards created to help protect payment card data from exposure that could lead to financial loss. PCI compliance requirements were put in place specifically to help protect merchants from a data breach, but they do not guarantee protection.
Sign up for Computerworld eNewsletters.