Risk Management – Everyone Needs a Seat at the Table
In the security world there’s a common saying that compliance isn’t security and security isn’t compliance. I believe what gets missed in this saying is the role proper risk assessments and risk management play in marrying up security and compliance.
The information technology field includes a myriad of mandatory compliance regulations and frameworks such as the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), etc. There are also numerous voluntary and best practices frameworks such as the CIS Critical Security Controls, System and Organization Controls (SOC), and Health Information Trust Alliance Common Security Framework (HITRUST CSF). The purpose of these frameworks is to clearly define security requirements and controls to allow organizations to structure their security program around the standard. However, security standards aren’t always that easy to understand (for example, PCI DSS is comprised of up 139 pages of information that needs to be complied with). It is unreasonable to expect everyone to understand even a single security standard, so a dedicated person or group is usually responsible for compliance in complex environments. Similarly, the technical configuration and execution of security activities like patching, system hardening, identity and access management, firewall configuration, and event log management require specialized knowledge that someone focused on compliance may not have.
As an auditor, when I assess a security program there are two common ways companies assign responsibility for compliance and security that can lead to issues: IT being responsible for all aspects of information security and compliance; or to assume that security is guaranteed by having a compliance program. Both approaches ignore that information security must be aligned to requirements, business objectives, and assets. Security controls and tools can’t operate in a vacuum and won’t be effective unless the business has a clear understanding of how to identify and manage risks.
An information security program should require a risk assessment be performed periodically and most security control frameworks require one like these:
PCI DSS | 12.2 |
HIPAA | 45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii) |
SOX | 404(a) |
SOC | COSO Principle 6 |
Although most organizations would say they use a risk-based approach towards IT, security, and business objectives, it is rare to see a risk assessment and management program that has been formally defined and documented with results that influence business decisions outside of highly regulated areas, like banking.
The key to risk assessments is to include compliance objectives, business objectives, and business units in the process. All departments should contribute to a risk assessment by asking, “What is something you worry about happening or currently happens in my department that negatively impacts the business?” Some areas such as IT and security will have more input in the risk assessment process but framing risk discussions like this allows everyone to contribute to the process instead of getting overwhelmed by jargon. Identifying these risks and then making a business decision to prioritize mitigations and remediations influenced by compliance requirements, IT capabilities and safeguards, and business needs is the core of risk-based decision making.
Once a list of risks has been created and prioritized, the risk management function is achieved by defining who owns risks and how often the risks and remediation plans should be reviewed. There are many approaches and entire books written about risk, but if risk is positioned as a business decision made by gathering inputs from all stakeholders, it can be a valuable tool and more than just a compliance activity done to meet a control. Want to learn more about developing or enhancing a comprehensive risk management program? Our team of Risk Management Experts are available to answer any questions you may have. Contact us today to discuss your unique situation!
Contact Us
Share this
You May Also Like
These Related Stories
No Comments Yet
Let us know what you think