ZoomLens - Loveland, Subramanian -Tackling Info Risk
1. zoom
Tackling Information Risk
Your greatest asset could be your greatest risk
The concept of “he who holds the information, holds the power”
today, with exploding volumes of stored
“cloud”, smartphones, tablet PC
proliferation of “professional” h
holds information, holds the risk.”
Yet, most companies don’t act to minimize their
resulting in extraordinary and di
often, inadequate results
Corrupt Practices Act invest
breach and most will
events before they ha
Management (“IRM”
Why don’t more companies think about how to man
it often take a crisis
why data is stored and who has access to
But like any good business prob
Too much dat
created will surpass 1.8 zettaby
years ago! With s
of the types of da
it exists, ho
One-size fits all approach:
data security with a one
Chief Information Security Offi
we keep people out
information we k
data (e.g. Medical Records) from low risk
Highlights:
Most companies don’t
understand the risks posed
by their information until it's
too late
Competitors, hactivists,
regulators, and opposing
counsel see great value in
information stores and can
wreak organizational havoc
in their attempt to uncover it
Key challenges lie in
balancing the desire for data
control with the need for
access and apportioning
greater spending to higher
risk data source
A simple framework can
allow organizations to better
identify and understand
their riskiest data and
prioritize finite IT, security
and other spending
zoomlens
Tackling Information Risk
Your greatest asset could be your greatest risk
The concept of “he who holds the information, holds the power”
today, with exploding volumes of stored data, increasingly distributed
“cloud”, smartphones, tablet PCs, etc.), heightened regulatory scrutiny and the
proliferation of “professional” hacking groups, the corollary is equally true: “he who
holds information, holds the risk.”
Yet, most companies don’t act to minimize their information risk until they’re
resulting in extraordinary and disproportional costs—both direct
often, inadequate results. Ask any company who has faced a pressure
Corrupt Practices Act investigation, high-stakes litigation or major information security
breach and most will say that they wished that they had done more to prepare for these
events before they happened. Increasingly, the task of tacking Information Risk
Management (“IRM”) and the crises that result is falling to the general counsel’s office.
Why don’t more companies think about how to manage their information risk? Why
it often take a crisis event before a company even begins to think about how,
why data is stored and who has access to it? The short answer is simple:
But like any good business problem, it can be broken down to a
Too much data: A recent study estimated that in 2011, the amount of
created will surpass 1.8 zettabytes (1.8 trillion gigabytes), 9 times the rate of just 5
years ago! With so much information growth, many organizations are often unaware
of the types of data that they have within their infrastructure. If they don’t know that
it exists, how can they assess its risks and secure it?
size fits all approach: Many organizations pair a one
data security with a one-size fits all approach to IRM. Even with the
Chief Information Security Officer position, the focus remains
we keep people out of our network not on how do we rationalize and optimize the
information we keep and how do we differentiate between how we manage high risk
data (e.g. Medical Records) from low risk data (e.g. office dress code).
lens September 2011
Your greatest asset could be your greatest risk
The concept of “he who holds the information, holds the power” is well-understood. But
data, increasingly distributed computing (the
scrutiny and the
equally true: “he who
information risk until they’re forced to,
both direct and indirect—and,
pressure-filled Foreign
or major information security
had done more to prepare for these
task of tacking Information Risk
falling to the general counsel’s office.
age their information risk? Why does
even begins to think about how, where, and
it? The short answer is simple: it’s really hard.
lem, it can be broken down to a handful of key drivers:
ted that in 2011, the amount of information
times the rate of just 5
organizations are often unaware
infrastructure. If they don’t know that
ir a one-size fits all approach to
ch to IRM. Even with the emergence of the
cer position, the focus remains primarily on how do
rationalize and optimize the
ween how we manage high risk
data (e.g. office dress code).
2. PwC Tackling Information Risk 2
Increased demand for information access:
Compounding the problem is that employees now
demand real-time access to information from wherever
they are, through whichever device they happen to be
using—from smartphones to tablet PCs. While this surely
has positive affects on worker productivity and
creativity, it complicates the organization’s ability to
properly keep its information protected from inadvertent
disclosure or malicious exploitation.
False sense of security: Whether it be “Hactivists”
like WikiLeaks and Anonymous accessing and leaking
information to send some quasi-political message, or
unscrupulous competitors (including nation states),
looking for an advantage, there are a myriad of reasons
why external parties want access to your data. While
industries and organizations differ in their risk profiles,
none are immune from the risks of hackers, or of the
impact that poor IRM practices can have on a regulatory
review, or litigation.
As if the above weren’t enough to keep your risk
management team up at night, all of this comes, of course,
at a time of increasing regulatory scrutiny (e.g., the Dodd-
Frank Act) and enforcement actions, global data privacy
regulation, and crushing e-discovery requirements. So given
these factors, what can the general counsel’s office do to
manage these risks?
A Framework for Assessing
Information Risk
While the scale and size of the information risk issues may
seem insurmountable, the following framework for
analyzing information risk can help you get a better handle
on the problem and focus your investment more
appropriately. The following are 5 key steps that must be
undertaken before risk mitigation plans can be developed
and investments can be made.
1. Understand the key types of data that exist within
your organization
The first step is to develop an understanding of the
types of data (or data categories) that exist within your
organization (e.g. operational data, customer and
vendor lists, payroll, intellectual property, corporate
strategy documents, etc.). Clearly the focus here ought
to be on data that is sensitive, private or serves an
important business purpose.
2. Understand where the data is stored
For each of the data categories, determine where the
data is currently stored. Data locations could include,
for example, internal servers as well as third-party
“cloud”-based providers. It should be noted that in
many cases a regulator will still hold an organization
accountable for the security and protection of its data,
even if the storage is outsourced to another vendor. In
addition, the location of the data impact the risks to an
organization based on the applicable jurisdictional data
privacy and breach laws.
3. Understand the owners of the data
The next step is to determine who “owns” or has
primary responsibility for managing and ensuring the
quality of the data in question. The data owners will be
important in helping to manage the risks associated
with the data.
4. Understand the risks of the data
For each of the data categories, assess the risks
associated with data. When assessing risk, it is
important to think holistically to include, financial,
operational, regulatory, legal and reputational risk.
Categorize the overall risk as either High or Low.
5. Understand the user access needs
For each of the data categories, determine the access
needs. If the data needs to be accessed regularly (e.g.
inventory data) or real-time (e.g. tablet-based
operational reports) then mark the data access needs as
High. If the data is accessed infrequently then mark the
data access needs as Low.
3. After the completion of this process, an organization
now classify its data into four separate categories
a matrix of risk versus access. Each of the four areas, are
summarized below in descending order of priority:
High Risk—High Access Requirements
Data in the upper right quadrant represents
need for risk management focus investment. Data is
normally sensitive to either customer or internal
information, and requires access from groups at var
levels of the organization (e.g., patient healthcare
information at a hospital). Efforts should be made to
centralize and implement controls of this data (e.g.,
monitoring of data usage, strong usage policies and
protection/security training, etc).
High Risk—Low Access Requirements
Investments will best succeed in centralizing higher
but less accessed data such as employee HR information
(e.g. social security numbers). While the lower level of
use will naturally yield inherent safeguards, th
sensitivity of this information will still require effective
security and controls management.
Low Risk—High Access Requirements
Such data can include, for example, phone
US based employees. As the data presents little risk to
the organization, but is accessed frequently, lower
of security investments or controls are needed beyond
the organization’s baseline security and data usage
standards.
PwC Tackling Information Risk
After the completion of this process, an organization can
now classify its data into four separate categories by plotting
four areas, are
priority:
Data in the upper right quadrant represents the highest
investment. Data is
customer or internal
access from groups at various
organization (e.g., patient healthcare
at a hospital). Efforts should be made to
and implement controls of this data (e.g.,
monitoring of data usage, strong usage policies and data
Investments will best succeed in centralizing higher risk,
HR information
While the lower level of
inherent safeguards, the
information will still require effective
can include, for example, phone directories for
presents little risk to
frequently, lower levels
eeded beyond
baseline security and data usage
Low Risk—Low Access Requirements
This category of data may be best served through
no additional investment beyond the
baseline security and data usage
risk and low access normally is used by a particular
group, and does not contain sensitive informat
the marketing team’s internal memo tem
While the outline above provides an effective
assessing the information most at risk,
must be considered and addressed
procedures to mitigate the risks described above
issues will include, but not be limited to, d
(especially in some international ma
requirements (regarding how data is stored and for how
long), the existing IT infrastructure and the company’s IT
personnel that can implement and oversee the
Having a team that can speak to the regulatory and
technical issues and solutions is essential to a
cost effective IRM investment.
Striking a Balance Between Control
and Availability
Organizations must strike a careful balance b
availability and ease of access of information while
maintaining a high level of control to ensure the
usage and protections of that information.
of data within an organization only
difficulties faced in managing this
The approach detailed above provides a framework to
organizations to better understand their data,
risk rate their data across the risk-
prioritize finite IT, security and other
high risk data categories.
The problems faced by competing priorities of access
security are not going away, in fact they will only
Organizations that are able to effectively
throughout their enterprise, while
the security of this information, will
competitive advantage in the future.
Tackling Information Risk 3
Low Access Requirements
data may be best served through little to
dditional investment beyond the organization’s
aseline security and data usage standards. Data of low
is used by a particular
sensitive information (e.g.,
internal memo template).
While the outline above provides an effective framework for
g the information most at risk, many other issues
ust be considered and addressed prior to implementing
risks described above. Such
not be limited to, data privacy laws
some international markets), regulatory
ta is stored and for how
astructure and the company’s IT
lement and oversee the process.
can speak to the regulatory and IT
and solutions is essential to a successful and
Striking a Balance Between Control
trike a careful balance between the
of access of information while also
level of control to ensure the appropriate
rotections of that information. The proliferation
ata within an organization only compounds the
aced in managing this balance.
The approach detailed above provides a framework to allow
tand their data, appropriately
-access matrix, and
e finite IT, security and other resources around key
competing priorities of access and
security are not going away, in fact they will only get worse.
ns that are able to effectively share information
while maintaining control over
information, will have a significant
advantage in the future.