Risk management and compliance – is it finally all coming together?

Speaking at the Worldwide Cybersecurity Summit on 1st June 2011, Sir Michael Rake, chairman of the BT group, expressed the view that awareness of cyber crime and the necessity of protecting corporate and personal data are not as highly prioritised at board level as they should be. In parallel, governments around the world are looking to strengthen oversight and enforcement, and business leaders are now focusing on enterprise risk management as a strategic business driver.
 
Compliance in silos
 
Governance and risk management are familiar topics in the board room. It is therefore surprising that companies always feel under pressure to meet compliance deadlines of one type or another and often panic to implement solutions they believe will address the most visible, urgent or potentially costly to ignore regulation looming on the horizon, without even putting this into the context of the existing enterprise risk management framework. Many businesses are now on their second or third cycle of trying to automate processes related to compliance with specific policies, industry standards, and government regulations. With requirements evolving, companies find themselves with discrete solutions for PCI DSS, Data Protection, FSA, Sarbanes-Oxley, ISO27001 and others. Although these businesses have achieved some successes with their initial projects, much of the success has been short lived, and costly. More specifically, investments in information security get more and more difficult to secure as sustainability cannot be demonstrated to the board. And then you get the next high profile data breach…
To read the full article go to:
http://www.scmagazineuk.com/risk-management-and-compliance–is-it-finally-all-coming-together/article/208453/?DCMP=EMC-SCUK_Newswire

Sir Michaels Rakes conclusions are as follows:
 
Best practice 
 
Lesson 1. Understand your risk profile 
 
A lot of progress has been made in mapping regulations (e.g. Data Protection) to risk management standards, e.g. ISO 27001, and data security controls, e.g. PCI DSS, to establish standards and best practices for mapping regulations to standard controls. Threat scenario modeling and information asset risk categorisation are good tools to use in this space. IT and operational controls based on compliance requirements alone are no longer sufficient and businesses must look at their people, their processes as well as the technologies that can help them. 
 
 
Lesson 2. Make risk management your objective, compliance will come naturally
 
I have always believed that PCI DSS represents a good set of basic information security controls that can be used in the wider information security space (i.e. not just card holder information). I also believe that PCI DSS brings a quantitative dimension to qualitative frameworks such as ISO 27001. If businesses limit their focus to compliance alone instead of the broader risk management picture, they are likely to make the same (expensive) mistakes time and time again and, as a result, find themselves reacting to crises.
 
Lesson 3. Avoid quick fixes and silos 
 
Companies that have successful risk management strategies have replaced quick fix discrete compliance initiatives with solutions that facilitates the handling of short-term needs while providing a foundation for an integrated long-term solution that is flexible enough to support multiple regulations and new functionalities. I firmly believe that this can only be successful with 1) taking it one step at a time and 2) automation using solutions that are able to support the predefined mapping of multiple regulations. I classify such solutions in the broad category of Governance, Risk and Compliance (GRC) tools.
 
Lesson 4. Automate
 
The major source of failure of information security initiatives is the inability for organisations to move activities to a business-as-usual operational framework. Businesses should look for GRC solutions that are easy to deploy, requires no customisation and are simple to upgrade. By taking such an approach, organisations will be able to extend the same automated, risk-based approach beyond PCI DSS to other regulations, including the Data Protection Act or Sarbanes-Oxley and other privacy requirements. The new GRC solutions can help businesses move from reactive to proactive compliance that is based on real, as opposed to theoretical threats. A beneficial side effect is that compliance will be achieved in a much more cost-effective and efficient way, giving a much more effective competitive position in our increasingly regulated environment.
 
Lesson 5. Educate
 
I have always been an advocate of education and awareness in this field, and organisations will have to ensure that training and education of their own staff and customers should be firmly on the agenda as well as the implementation of sound security policies and practices. As we have seen earlier in this article, a lot could be achieved by using simple proactive measures. However, it is true that more collaboration in the industry and government as a whole is needed in this space. 
 
Experience has found that the biggest mistakes made by risk managers in both public and private sectors is establishing both a quantative and qualative approach to risk management, in other words how much damage the incident will have on reputation and how much will this cost. Most organisations work out their risk harm levels or risk appetites by declaring they have a Low, Medium or High risk threshold established by working out a threat assessment; however the quantative side of the assessment is often not considered, unlike the process that is adopted by Insurance Companies.
 
Regency has a team of very experienced consultants that specialise in IA risk management in both public and private sectors. Our consultants working alongside the appropriate personnel responsible for IA and risk management within the business area will be able to establish a risk management regime to meet those business requirements. The regime will include such areas of accountability, criticality assessments, level of threats, business impact assessments, privacy impact assessments, acceptable risk appetite/harm levels, incident reporting and will also on completion will produce an action plan to enable the those identified risks to be managed by the appropriate person within an agreed time scale and also the basis of establishing a Business Continuity Plan. 
 
Regency are now in a position to offer current and new clients, both public and private sector, a fully automated award winning risk management tool, CiticusOne, to assess current level of compliance against the controls they are required to obtain and be compliant with. Example control areas for the public sector maybe, SPF, PIA, IAMM, ISO27001, whilst within the private sector ISO27001, Sabannes Oxley, CoBit and SCADA, however compliance controls bespoke to individual business needs could be also included. Additionally areas of risk analysis offered by CiticusOne regarding criticality, BIS’s incident reporting and BCP’s would enhance any current risk management regime. Once the risk management process is completed CiticusOne can then produce an easy readable report detailing areas of risk, action plan details and dashboard diagrams that can be presented to the Board. 
 
The use of Citicus will not only reduce the time it will take to carry out the risk management process, the time utilised by in-house security practitioners or consultants but will also reduce the costs of maintaining a real time effective risk management regime that once adopted can be updated as and when required as and when the risks or threats change. 
 
As the sole worldwide implementation partner, Regency can host and manage Citicus in our HMG accredited secure data centre and also provide the expertise to carry out independent evaluations. We can also arrange the training for personnel to use the software to maintain and update their risks and actions by using our hosting service via secure HMG VPN encrypted connections.