The growing complexity of today's interconnected systems has not only increased the need for improved information security, but also helped to move information from the IT backroom to the executive boardroom as a strategic asset. And, just like the tip of an iceberg is all you see until you run into it, the risks to your information are mostly invisible until disaster strikes.
Detailing procedures to help your team perform better risk assessments and aggregate results into more meaningful metrics, Practical Risk Management for the CIO approaches information risk management through improvements to information management and information security. It provides easy-to-follow guidance on how to effectively manage the flow of information and incorporate both service delivery and reliability.
Explains why every CIO should be managing his or her information differently Provides time-tested risk ranking strategies Considers information security strategy standards such as NIST, FISMA, PCI, SP 800, & ISO 17799 Supplies steps for managing: information flow, classification, controlled vocabularies, life cycle, and data leakage Describes how to put it all together into a complete information risk management framework Information is one of your most valuable assets. If you aren't on the constant lookout for better ways to manage it, your organization will inevitably suffer. Clarifying common misunderstandings about the risks in cyberspace, this book provides the foundation required to make more informed decisions and effectively manage, protect, and deliver information to your organization and its constituents.
Mark Scherling (M3P Consulting Inc. Victoria British Columbia Canada)
Country of Publication:
27 September 2018
Introduction: Why Risk Management? Liability Personal Data Disclosed or Stolen Intellectual Property Lost or Stolen Wrong Decisions Made Liability Risks Service Delivery Transaction Centric Information Centric Risks to Service Delivery Risks to the CIO PRINCIPLES AND CONCEPTS Overview Market Risks Budget Risks People Risks Technology Risks Operational Risks Information Risks Control Risks Detection Risks Risk Treatment Basic Concepts, Principles, and Practices Concepts Risk IT Framework Principles ISO 31000 Risk Management Principles Other Risk Management Principles Summary: Risk Management and Risk IT Principles Information Security Principles Accountability Principle Awareness Principle Ethics Principle Multidisciplinary Principle Proportionality Principle Integration Principle Timeliness Principle Assessment Principle Equity Principle Information Management Principles Value Life Cycle Reuse Proliferates Quickly Dependencies Principles Risk Assessment, Analysis, and Procedures Making Decisions: Fact or Fiction? How Do You Decide? Confidence Ranking Process Facts Calculations Estimations Guesses Risk Management Starts with the Individual Managing Risky People Risk Management Profiling and Risk Culture Measuring Risks or Uncertainty How to Measure Risks Identify the Risk Consensus of the Risk Analysis of Risk Mitigate the Risk Monitor the Risk Reassess the Risk Performing a Risk Assessment Team or Committee Selection Step 1: Define Parameters Taxonomy of Risk Types Scope, Time Frame, Complexity, and Stakeholders Step 2: Identify Risks and Impacts Step 3: Consensus of Risks and Impacts Step 4 Risks and Impacts Analysis Step 5: Prioritize Risks and Impacts Step 6: Review Existing Controls Step 7: Risks and Impacts Mitigation Analysis Step 8: Costing, Prioritization, and Decisions Step 9: Implementation Step 10: Review Metrics User Experienced Metrics Best Practices Principles and Concepts: Section Summary Part II: SERVICE DELIVERY Product Management Products You Deliver as a CIO Information Delivery: How Information Flows in Your Organization Organizing IT for Information Delivery, Management, and Protection Process Management Project Management Projects Risk Ranking Vulnerability Scanning Reporting IT Service Management Opportunity Capacity Reporting on Service Delivery Service Delivery: Section Summary LIABILITIES MANAGEMENT Information Management The Value of Information Classify Your Information: Value and Categories Value/Sensitivity of Information Categories of Information Controlled Vocabulary, Taxonomies, Keywords, and Search Controlled Vocabularies Summary Identify Information Assets Information Has a Life Cycle Database Information Life Cycle Information Flows Information Flow Analysis Information Management Strategy Designing Information Management across Large Organizations Steps to Better Information Management Information Protection Security Controls Essential Controls Personnel (Includes Management and Operations) Technology Information Ingress Egress Database Security and Monitoring Defense in Depth Audit and Compliance Documentation Information Security Architecture Reporting on Information Security FISMA, NIST, and FIPS Why What Specifications for Minimum Security Requirements How Payment Card Industry Data Security Standard Analysis of Good Information Security Practices Employee, Hacker, Insider, or Outsider Insiders Employees Partners Contractors Outsourced Insider Threats Insider Controls Outsiders General Public Hackers Customers, Clients, Others Outsider Threats Outsider Controls Data Loss Prevention/Information Knowledge Leakage Database Solutions Network and End-Point Solutions Portable Device Control Defining the Risk Deploying DLP Solutions Paper: Print, Keep, Shred E-Discovery Rules and Obligations Standard of Proof E-Discovery Process Information Management Collection and Preservation Production Presentation Summary of E-Discovery Privacy Policies and Procedures Writing Good Policies Communicating Policy Enforcing Policy Writing Good Procedures Following Procedures Next-Generation Policies and Procedures Planning for Big Failures or Business Continuity Business Resilience and Redundancy Business Continuity Management Liabilities Management: Section Summary PUTTING IT ALL TOGETHER Designing a Risk Management Strategy External Factors Organization Structure Identify Assets Compliance Requirements Risk Management Profiles Risk Culture Governance Risk Management Strategy for Service Delivery Risk Management Strategy for Liabilities Consolidated Risk Management Strategy Risk Management Framework: Outline Maintain Risk Management Program Resourcing a Risk Management Program Forward-Looking Risk Management Preparing for a Black Swan Conclusion Appendices: OECD Privacy Principles Project Profiling Risk Assessment Risk Impact Scales Classification Schema Bibliography Index
Mark Scherling, CISSP, CRM, has been working in IT for over 30 years. For the past four years, he has been managing information security and privacy for the Justice Sector in the Government of British Columbia (Canada). Prior to the Justice Sector, he managed the Information Security Investigations Unit for the entire BC government. He has designed and implemented public key infrastructure (PKI) and security solutions for numerous clients. He is considered a Subject Matter Expert in Risk Management and Information Security by the Information Systems Audit and Control Association (ISACA). He contributed to the Risk IT Framework and Certification in Risk and Information Systems (CRISC), a new ISACA Certification. He is viewed as a Security and Risk Management Expert by many people within and associated with the Government of British Columbia. His background includes sales, marketing, and information management. In the mid-1990s, he was instrumental in developing and implementing the Canadian Department of National Defence Intranet or the DIN. He has significant experience in information and knowledge management. He combines this expertise with information protection to create an information risk management strategy for Chief Information Officers (CIOs). He has been part of the evolution of information technology (IT) from Digital Equipment's Vaxes and PDP11s to mobile computing, the Internet, and cloud computing. The interconnected world we now live in holds exciting promise to link people, computers, applications, and information. There are risks when we link everything together and share information. Organizations are always trying to reduce costs and improve customer relations. Mark has been involved in information security for over 13 years and has oriented his approach from simple information security to risk management strategies. As the Internet continues to evolve, so evolves information security and risk management. The reality is that we need better ways of managing risks to our information and services. His approach takes a more holistic approach to risks, considering not just liabilities but also service delivery because information is one of our most important assets.
Reviews for Practical Risk Management for the CIO
This is an exceptionally well-written primer for anyone responsible for corporate information risk management. ... It's obvious that the author has regularly encountered and solved the problems he describes in the course of his three decades in Canadian government and justice IT, and he has an appealing no-nonsense approach. ...the true greatest strength of this book is its holistic viewpoint - all too rare and much appreciated - that demonstrates how all the disparate aspects of information management actually fit together to create a robust business asset base. I can unhesitatingly recommend it, not only to CIOs but also to anyone tasked with protecting corporate information assets, whatever the level of their role. It imparts understanding, which is vastly more useful than mere facts. An excellent holistic primer on corporate information management. The author's credentials are fully justified by the clear, concise and informative text. A must-have for CIOs and anyone else managing business information assets. -Michael Barwise, BSc, CEng, CITP, MBCS, in InfoSec Reviews, September 2011