20 Nov 08 - How do you reconcile your appetite for developing the appropriate risk management plan for your organisation against the mandated directives from the centre?
Mandated directives from the centre serve to provide the minimum approach to risk to which organisations must adhere. Risk management plans are driven by these external constraints, as well as by the appetite for risk from within an organisation. Where the risk appetite is greater than those permitted by the external directives, i.e. an organisation is willing to accept higher levels of risk (for whatever reason), the risk management approach must take the direction of the mandated directives. Without a controlled baseline, organisations can not have high assurance in the measures their peers have taken to treat risk. Where an organisation is unable to comply with the precise mechanisms detailed by the mandated measures, a case could be made for an acceptable deviation, but only after the provision of alternative controls and the acceptance of full liability. The risk of an organisation being unable to comply with mandated measures should be avoided, and alternative solutions must only be considered in partnership with the Central Sponsor for Information Assurance (CSIA).
20 Nov 08 - What is your view on attaining information security certification?
Whereas compliance with an information security standard proves to an organisation that they have applied adequate and appropriate security controls, certification proves to external parties that compliance has been achieved. Certification is typically achieved when an organisation demonstrates to an accredited external certifying authority that they have complied with a particular standard e.g. ISO 27001, during the management of their risks. If the certifying authority is content that security is upheld, they will issue a statement, or certificate, of compliance that can be presented to other organisations as evidence. For the greatest interoperability, it is therefore important to ensure the certifying authority is one that is independent, widely-trusted and qualified to assess an implementation of the required security standard (The UK Accreditation Service (UKAS) provides such normalisation). The certification process provides a mechanism to verify that a standard has been correctly implemented and properly managed. However, before time and resources are spent gaining compliance and the potential "rubber stamp of certification, the benefits of each should be evaluated against the business’ objectives to determine whether value-for-money can be achieved.
20 Nov 08 - Within the culture of personal responsibility for data handling (where levels of information security are dependent on the objectives of the individual organisation), how is it possible for different organisations to have confidence in sharing information?
Ensuring the security of information has always been of massive importance. However, with so many recent breaches, the sharing and transfer of data has become a large part of an organisation’s risk management plan. The only way an organisation can have confidence, or assurance, in another organisation’s ability to securely share information is by verifying that adequate controls have been correctly implemented. Clearly, one organisation is not going to let another scrutinise its 'inner workings' for themselves. An external trusted authority is required to assess the measures put in place to manage risk against a given standard, and provide a statement, or certificate, to attest to the fact that the suitable controls are in place. Compliance with a widely-known standard provides a baseline to which all organisations can aim to achieve – a minimum standard that provides a certain level of assurance. Where different information has varying assurance requirements, an organisation can either choose to implement controls for each level required, or focus specifically on those which provide the highest level of assurance. The decision on what is the most appropriate, must be carefully considered and take into account the aims and objectives of the business, in addition to the risk management strategy.
20 Nov 08 - My organisation doesn't have a SIRO. Who should it be?
The SIRO should be the representative at board level who understands the strategic business goals of their organisation and how these may be impacted by failure of information assets. The appointment at board level of an information risk 'champion' is critical as it sends a clear message to the organisation that the ownership of information risk is considered a strategic responsibility in the same way that financial and legal risk to the business are. If in doubt, ask the Board or Chief Executive Officer (CEO). Note: the ultimate responsibility and accountability for Information Risk resides at Board level in an organisation.
|
Eric is the newly appointed Head of IT within a Local Government department. He is taking over from the previous manager who was in the post for six years.
