Information Risk Treatment
Risk treatment is the process of selecting and implementing actions that are to be taken to address identified risks to information assets. The output of the risk matrix will determine the actions to be taken by way of risk treatment. As the elimination of risk is impracticable, the least expensive and most effective approach has to be used in treating identified risks. Risk treatment involves identifying a range of options to reduce the consequences and/or likelihood of an identified risk and there are a number of treatments which include avoidance, transference, mitigation or acceptance.
Some information risks are not worth taking in the first place and where that is the case, the best action is to avoid them altogether. Avoidance is the risk control action that prevents the exploitation of vulnerability and can be achieved by removing vulnerabilities in information assets and limiting access to assets. Avoidance of risk can be effected through three methods – application of policy, training/awareness and application of technology. Risk avoidance through application of policy allows management to mandate that certain procedures should always be followed or specific actions should be taken by system users. An example is a clause in a corporate security policy stating that users of personal computers should not install unauthorised software. This should work to reduce the risk of unauthorised software infecting an organisation’s information system.
Whenever new technological systems are installed, awareness and training should be given to potential users to ensure that they use the system in a safe manner and do not put corporate information assets at risk. With the rapid changes in information technology and their uses, training on new systems should not be a one-off process but should be refreshed regularly so that staff remain up-to-date in the use of such systems. On-going technical support should be built into the awareness programme so that users are continuously supported in the use of systems. Apart from risk to information assets, failure to train staff in the use of IT systems may result in productivity falling and business operations being disrupted. The application of appropriate technology could have the effect of avoiding risks to corporate information assets. An example is the use of one-time passwords as these are valid for only one login session or transaction. One-time passwords help to avoid the risks associated with the use of traditional passwords such as replay attacks.
Risk transference is the process of shifting any losses incurred as a result of the risk to a third party. Although risks can be transferred in a number of ways, a typical method of transfer is the use of an insurance policy. The insurance policy does not alter the threat or likelihood of the risk occurring but simply reduces the impact that the risk has on the organisation. The impact of the risk cannot be completely removed from the organisation but is instead shared between the organisation and the insurance company. Another method of transferring risk is to outsource the relevant activities to a third party. Outsourced activities are not normally the core business of the outsourcing organisation and may include back-office functions such as payroll, human resources and data entry.
A key element of modern-day outsourcing is business process outsourcing which encompasses call centre outsourcing, human resources, finance and accounting outsourcing. Although outsourcing allows an organisation to transfer the risk associated with the management of its information systems to another, it is not without its own risks. In recognition of the risk of outsourcing, Kumar warns that before organisations decide to outsource, they should give due consideration to these risks. Organisations that outsource need to ensure that service level agreements with their service provider address information privacy and security. Key features of such service agreements should be disaster recovery plans and business continuity plans. A disaster recovery plan should identify the processes that have been put in place to limit losses before/during disasters and recover from any information incident. A business continuity plan should highlight the steps necessary to ensure the continuation of the organisation when disaster occurs that affects outsourced information assets.
Mitigation is the process of taking steps to reduce the negative effect caused by the exploitation of vulnerability on the organisation. There are three possible ways of reducing risk to corporate information assets – by reducing the threat, reducing the vulnerability or reducing the impact. In order to reduce the threat to information assets, the threat source first has to be identified. An effective method of reducing threat is by removing/preventing the threat source. An example is a malicious insider who accesses and changes information on systems without authorisation as a denial of access to such systems or termination will prevent that threat. The vulnerability of such systems can be easily reduced by disabling the access login of the employee on termination or tightening the security setting of the system if the individual is still an employee of the organisation. The business impact can be reduced by effective mitigating actions through the implementation of appropriate controls.
There are three main categories of control that can be used to reduce the impact of identified information risks in an organisation – administrative controls, physical controls and logical control.
Administrative controls, often referred to as procedural controls, make up the framework used in running a business and managing the people involved. They comprise of approved policies, procedures, standards and guidelines. They inform staff how the business is to be run and how business operations are to be conducted. Administrative controls form the basis for the selection and implementation of physical and logical controls. Some sectors such as the health sector have specific standards and guidelines that must be followed by organisations within the sector. All health organisations, for example, have to adhere to the NHS Code of Confidentiality and the NHS Information Security Code of Practice.
Physical controls work to monitor and restrict the workplace by ensuring that only authorised persons have access to workplace facilities. They address the design implementation and maintenance of countermeasures that protect the physical resources of an organisation. Physical controls work to protect the people, systems, hardware and the resources associated with corporate information assets. Most physical control devices are aimed at restricting the movement of people as well as safeguard information assets within the workplace and include the use of smartcards which are for controlling access to locked rooms and information system resources. Apart from physical access control of information assets, another key aspect of physical control is the prevention of physical interception of data. The three methods of data interception – direct observation, interception of data transmission and electromagnetic interception – must be effectively controlled to ensure risk mitigation.
Logical controls, also referred to as technical controls, are the use of software to monitor and control access to information and computer systems. Where logical controls are concerned, although some can be easily circumvented such as passwords, a number of them are quite robust and difficult to break. Encryption, for example, which is used to protect data in transit such as data transferred via networks and mobile telephones, transforms data to make it unintelligible to anyone without the decryption key. The process of encryption can also be used to protect data at rest such as files in computers and storage devices. Risks such as loss of personal information through the theft of laptops or memory sticks can be controlled through the use of encryption technologies. An important aspect of logical control is the process of least privilege which requires that an individual or program is not granted any more access privilege than is necessary to perform the task at hand.
Even after the different types of control – administrative, physical and logical – have been implemented, there is normally still some risk that cannot be completely removed and this is referred to as residual risk. Residual risk is the risk that remains after all attempts have been made to counter, mitigate or eliminate known information risks in an organisation. According to Whitman and Mattord, the goal of information risk management is not to bring residual risk to a point of zero but to ensure that residual risk is in line with an organisation’s risk appetite. Where residual risk is below the acceptable level, no action needs to be taken but where it is above acceptable risk then additional controls need to be used to mitigate those risks. If the residual risk is above the acceptable level and the cost of decreasing such risks would be higher than the impact, a prudent action in the circumstance would be to accept the residual risk.
When an organisation accepts identified risks after they have been evaluated, it simply acknowledges that the risks exist but does not take any action to mitigate them. Risk acceptance is, therefore, about making cost-effective decisions about resource investment. The use of this strategy would normally occur after an organisation has assessed the probability of the attack, estimated the potential impact, performed a cost/benefit analysis and decided that the assets did not justify the cost of protection. When mitigating risks to information assets, organisations have to decide the level of risk it is willing to operate with and this is referred to as the risk appetite of the organisation. Risk appetite is the nature and level of risk that an organisation is willing to accept as a balance between achieving extreme security and enjoying accessibility. It is an indication of the extent to which an organisation is willing to take risk in order to meet its strategic goals.
Every organisation has an appetite for some types of risk while adverse to others and this depends on the nature of the assets and their role in the organisation. Organisations should clearly identify their risk appetite in order to provide some guidance to its staff on the level of risk permitted so that there is consistency of approach in the organisation. The importance of risk appetite in the risk management process has been highlighted by the UK Corporate Governance Code which states that “the board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives”.
Risk communication is two-way process between the various stakeholders about the existence, nature, form, severity or acceptability of identified risks. It is the process of providing information to asset stakeholders with awareness of undertaken risk assessment, analysis and treatment processes as well as their outcome. The communication process should work to improve stakeholders’ understanding of identified risks and the steps taken to address them. Risk communication is essential as it helps to achieve consensus among the stakeholders on the appropriate method to be used to manage identified risks and the acceptable level of risk. Effective communication should be used to disseminate the result of the risk assessment and present the risk treatment plan to stakeholders as they are the group that will implement the plan. Risk communication documents should aim at giving stakeholders and decision makers a sense of responsibility in agreed risk treatment methods.
Monitoring and Reviewing Risks
All identified risks and their components such as threats, vulnerabilities, probability of occurrence and consequences should be monitored on an on-going basis. Such monitoring is necessary to ensure that new threats that are brought about by changes in the organisation are identified. Regular reviews of risk factors are used to verify that the criteria utilised in measuring the risk remain consistent with the business goals. During monitoring, steps should be taken to ensure that identified risk response measures have been completely and correctly implemented. Failure to implement agreed controls may result in the breach of corporate information-related policies/procedures and regulatory requirements. Where implemented risk response measures fail to achieve the desired level of effectiveness, the likelihood is that the controls have either not been correctly implemented or they are not functioning as expected.
Monitoring and reviewing the risk factors as well as controls enable the organisation to identify changes to information processes, systems and the environment in which information assets are handled. New types of risk can arise with changes to information systems such as software, hardware and infrastructure. Changes in information processing environments may change existing risks or introduce a new set of information risks. An example is where an organisation decides to outsource some of its services to a third party. This single act may require the organisation to revisit its underlying risk assumptions as there would be drastic changes to its threat, vulnerabilities and likelihood identification processes. The frequency of risk monitoring and review is normally determined by the impact of the risk if not properly controlled and the level of change to the organisation’s information, systems and infrastructure.
Every organisation, private and public, is experiencing some form of information risk as data has become the lifeblood of organisations worldwide. With the ever-growing use of information, systems and networks comes the potential threats and risks to corporate information assets. The current globalisation of business processes has brought about an ever-increasing generation of data and this makes effective information risk management crucial. There is now a growing need for corporate bodies to meet legal and regulatory requirements in the area of personal information processing with the result that the classification of information has become the key to the effective protection of person identifiable information. In order to ensure the continued confidentiality, integrity and availability of information, organisations are required to identify, assess and effectively treat risks to their information assets. As the requirement to manage corporate information assets improves in profile, discussions on risks associated with IT failure are now finding their way to the boardroom. Organisations are now having to take positive steps to protect their information assets as the value of corporate information is directly linked to the success of business operations.
Nayak Kumar, IT Risk Management Program: Managing Risk in Organisations, Vol.2 (12) Dec. 2009, Advances in Management, 5
Department of Health, Information Security management: NHS Code of Practice, 2007
Michael Whitman and Herbert Mattord, Principles of Information Security, Second Edition, 2005, Thomson Course Technology, 163
Thomas Longstaff, Clyde Chittister, Rich Pethia and Yaco haimes, Are We Forgetting the Risks of Information Technology? Computer, Dec 2000, 44
Principle C.2, The UK Corporate Governance Code, June 2010
Stefan Fenz and Andreas Ekelhart, recognise that that human threats to information can exploit a vulnerability either deliberately or accidentally – Sefan Fenz and Andreas Ekelhart, Information Security Risk Management: In Which Security Solutions Is It Worth Investing? Vol 28, Art 22, May 2011, 336
Scot Laliberte, Risk Assessment for IT Security, August 2004, Bank Accounting & Finance, 39
 Nayak Kumar, IT Risk Management Program: Managing Risk in Organisations, Vol.2 (12) Dec. 2009, Advances in Management, 5
 Department of Health, Information Security management: NHS Code of Practice, 2007
 Michael Whitman and Herbert Mattord, Principles of Information Security, Second Edition, 2005, Thomson Course Technology, 163
 Thomas Longstaff, Clyde Chittister, Rich Pethia and Yaco haimes, Are We Forgetting the Risks of Information Technology? Computer, Dec 2000, 44
 Principle C.2, The UK Corporate Governance Code, June 2010