|
Risk Management In All Aspects Of A Company Is Important
By Dan Morrill
Expert Author
Article Date: 2008-12-08
There is a link between IT risk and the overall company risk posture. Techtarget has a fascinating read for every security engineer out there, including the CISO. It is hard to quantify risk.
Is it risky to use Facebook at work, not normally, but when there is a massive worm hitting Facebook then the answer is yes. When you have a good firewall policy, and enforcement you reduce risk of bad data coming in, but do you have a way to stop bad data going out from the company? The DOD recently had to ban the use of flash drives because people were bringing them in from infected PC's from home. The reason they found out, looking at the outbound connections on their firewalls, and the tripping of AV software and security appliances.
These are the kinds of risk management processes that can help make the argument for doing things in a corporate environment. Corporate groups are generally interested in making money, thinking that any interference from IT or IT Security is something that needs to be gotten around. These groups still have not bought the idea of buy in, or working with security. In some cases, security and the IT department are not being helpful either causing these groups to engage in risky behavior off the corporate network because they don't understand the risks, they just see that they need to hit financial targets.
Risk management across all aspects of the company including IT are important to the board of directors and to general management. One good breech, and the company stands to lose millions of dollars if not thousands of customers, including class action lawsuits like we have seen with the TJX hack and other hacks. While the chances of these happening are remote when there are good controls and policies in place, failure to get those controls and policies in place nearly guarantees that there is going to be an issue in the future.
• 38% of the respondents said boards occasionally or rarely review privacy, security or risk management budgets (40% said they never do).
• 55% said boards occasionally or rarely approve roles and responsibilities for privacy officers (28% never do).
• 56% occasionally or rarely review top-level security and privacy policies (23% never do).
• 62% occasionally or rarely receive reports from senior management on risk (15% never do).
Source: Techtarget
With people being scared on the job, now is a good time to review policies, plans, procedures, controls, technology, and security risk over the entire enterprise. Are you sure you are shutting down accounts when an employee leaves or is fired? Are you sure you got all the access points when dealing with a laid off technology worker? Have you made sure that there is no illegal remote access software that the employee has installed? Are you sure, you have all the passwords and access to all their critical files? Controls and technology can help here, and making sure that there are good policies in place so that if something goes wrong, people know what to do and who to report it to.
Making sure that all the bases are covered is the board's job, and that the company is adequately addressing risk. The Technology risk that companies take is just as important as any other kind of risk if not more important. The reason why it would be more important is that a technology risk that can be exploited usually can be cascaded through the enterprise allowing access to more than one system, or more than one database of data.
Comments
About the Author:
Dan Morrill runs Techwag, a site all about his views on social media, education, technology, and some of the more interesting things that happen on the internet. He works at CityU of Seattle as the Program Director for the Computer Science, Information Systems and Information Security educational programs.
|
|
