Information Security is a specialised risk management function that supports the business to understand and manage security related risk. As a team they provide advice and help to design, implement and operate security controls to bring security risk into the businesses risk appetite or at least within risk tolerance. I will explore this statement throughout this article as it can be confusing to understand what this actually means.
The Information Security team often consists of differing specialisms to enable security management across diverse subject areas. The function is often perceived to be technical in providing IT/Cyber Security. Information Security is wider in scope and seeks to equally manage security risk relating to people and process in addition to technology. Through effective security risk management the team seek to enable (rather than block) the organisation to take advantage of opportunities. This is achieved through balancing risk and reward.
In NIST SP 800-59 Information Security is described as:
“The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.”
The goal is to protect information and information systems to provide the three key components that make up the CIA triad. These are:
- Confidentiality
- Integrity
- Availability
Confidentiality
Access to information should be restricted to only those who need access to it. This protects information to ensure it is only accessable to those who have a need to know it as part of their role.
Consider the scenario
A long standing member of staff has worked across multiple departments / functions within the organisation. Their level of access has increased to allow for their new role but previous access has been retained. They have access to more information than they require and as a result pose a far greater risk to the organisation through both the malicious or accidental exposure of data.
Integrity
Assurance that information is accurate, and reliable. This protects against unauthorised modification of both data at rest (in storage) or in transit (in transport).
Consider the scenario
A member of the customer service team are involved in making payments to customers. A lack of adequate controls around making changes to customer bank details increases the risk of internal fraud on the customers account.
Availability
Information is available to authorised staff as and when they need it. This protects against destruction or loss of data and disruption to services.
Consider the scenario
The organisations systems are subject to an external Denial of Service attack. A lack of adequate controls leads to the systems being unavailable to customers at their point of need.
To help understand the initial statement its important to understand the fundamentals of risk and how it applies in the management of security risk.
Risk Management
Risk itself is defined by ISO as:
"The combination of the probability (likelihood) of an event and its consequence (impact)."
The definition of risk used within Information Security is often bias towards negative consequence. Risk management requires a more balanced view between security risk (CIA impact) and opportunity risk as risk itself can also be positive.
The fundamentals of risk management require an organisation to define its risk appetite. This is the amount of risk that an organisation is willing to accept. Risk is a balance between the positive opportunity (what could we gain) and the negative consequence (what could we lose). The level of appetite is determined using a risk matrix that is typically based on likelihood (expected frequency of event) and impact (often determined through categories such as finance, reputation, regulation). Appetite states that this is the level of risk we as an organisation are willing to operate at.
The level of acceptable appetite will vary considerably between organisations with those in heavily regulated areas often more adverse to taking risk. An organisation may set out that it has a low appetite for risk but there will be situations where it is willing to take higher levels of risk (tolerance) as this is justified by the potential reward. This risk tolerance is the level of variation management are willing to accept.
There is a limit to the level of risk tolerance that an organisation can take which is the risk capacity. This is the level of risk that can be tolerated without potentially compromising the existence of the organisation.
Managing Information Security Risk
The Information Security team perform risk assessments and provide advice / consultancy on how to effectively manage risk. The team articulate the security risk and advise on how it can be mitigated. This information supports management in making an informed decision balancing risk and reward in pursuit of the organisation’s goals. Where the level of risk being taken is above appetite an escalation process needs to be followed to ensure the risk is owned and effectively managed. The stakeholders involved in the escalation process should be expected to increase in seniority as the level of risk being taken increases.
For risk to be effectively managed it needs to be documented to ensure the organisations overall risk posture is understood. Failure to identify or acknowledge risk or its blind acceptance undermine efforts to manage risk and can lead to an organisation taking unjustified risks or even exceeding its capacity for risk.
Security risk needs to be considered in terms of both existing risk (current status) and emerging risk (future status). There will always but short to medium term challenges but its important to balance these out with longer term strategic planning to enable organisations to adopt new innovations securely and within appetite / tolerance.
Security Controls
Security controls are implemented to be able to bring security risk to a level acceptable by the organisation. Risk management does not require controls to be effective, it simply requires controls to manage risk sufficiently within an acceptable threshold.
The controls themselves need to be in proportion to the risk. Where the cost associated with the realised risk is less that the cost associated with implementing and operating the control this cost cannot be justified. A role in information security requires a level of pragmatism to design and implement controls that are proportionate to risk whilst allowing organisations to take advantage of new opportunities.
Lawrence Gordon and Martin Loeb are economists at the University of Maryland. They published a study on “The Economics of Information Security Investment” in 2002. In this they suggest that the optimal amount to spend on information security should never exceed 37% of the expected loss resulting from a security breach. As with anything in risk this is subjective but provides a potential guide as to what level of spend is considered proportionate in the management of security risk.
Security Resources
Information Security resources are often limited in both staff numbers and budget. This makes it important to understand where the greatest levels of security risk exist so that resources can be appropriately prioritised. This can be achieved through assessing the value of assets to identify their risk to the organisation. For each asset this process often involves associating a risk rating against each component of the CIA triad. This approach seeks to proportionately apply resources according to risk rather than attempting to protect all assets equally.
Hopefully this post has helped build your understanding of the fundamentals of Information Security as well as appreciate the wider dependency on risk management within the organisation.