Newer threats and vulnerabilities are continually evolving as organizations have identified the need to achieve more with existing and new infrastructures. Resources need to be allocated in a manner that is cost-effective, risk-free and efficient. The growing importance of developing a comprehensive risk management strategy to tackle the numerous threats and vulnerabilities posed by information technology today cannot be overemphasized (VeriSign, n. d. ).
Risk Management is a process that usually begins with the design of a risk management description and security plan which are incorporated into determining acceptable risk levels. The application of industry standards such as ISO 17799 and BSI 7799-2 also contribute significantly to the risk identification processes which ensure the successful application of industry best practices in deploying information technology systems (VeriSign, n. d. ). Information Security should be viewed as a core component of any organization’s basic business process.
In order to implement a comprehensive information security framework, risk management is viewed as indispensable. Security breaches occur initially as a result of risks that arise in carrying out the day-to-day management and operations of a business. The mode in which information is stored also has a great impact on the risks organizations are vulnerable to. Organizations across the world now store data in electronic format and this has increased and diversified the levels of risk exposure currently experienced by these organizations today.
According to John Petrie, the head of information security at Harland Clarke, the top three priorities for their check-producing company included making the most of enterprise-wide methods of quality assurance; merging security and risk alleviation processes to suit the organization’s strategy and goals; and incorporating risk management practices into the daily activities of the employees of Harland Clarke (Brandel, 2007).
One interesting aspect of Harland Clarke’s risk management deployment was the fact that in order to reveal the new role of security within the organization, associated security models and changes were incorporated into the company’s organizational chart. Initially, security within the organization had been managed by the CIO and plant managers. To reflect the new security perspective, a new chief security officer was brought in to take charge of incident management issues and physical security within the organization (Brandel, 2007). This step completely modified the way security was viewed within the organization.
Another interesting aspect of Harland Clarke’s information risk management policy was the organization of annual and monthly vulnerability reviews of the entire organization. This ensured that new developments within the business process could be incorporated into the security framework. The company was able to achieve this in collaboration with Verizon Business which offers recommendations based on Harland Clarke’s decisions. According to Petrie, Harland Clarke operates by the principle that risk isn’t finite and is determined by the measure of risk acceptable to the business itself (Brandel, 2007).
The case of Harland Clarke is particularly interesting because the organization made conscious efforts to develop a strategy that comprises repeatable, auditable and measurable processes through the use of an ISO Standard known as ISO 17799/27001. This served as a baseline and measure for managing and optimizing its security standards and budget. These standards cut across several aspects of an organization such as physical security, environmental security, computer and operations management, system access control, compliance and so on.
These domains of risk management were guided by governance guidelines such as Cobit and regulations set up by the Federal Financial Institutions Examination Council (Brandel, 2007). To come up with an effective risk management framework, Harland Clarke had to identify the threats and vulnerabilities of security risk management and determine the levels of risk that were acceptable to the organization. The outcomes of the business impact analysis and vulnerability review were incorporated into the development of an annual risk matrix which comprises a total of 20 risk areas.
This information was forwarded to management in order to ensure an informed and effective decision making process. Management is responsible for making the final decision on what levels of risk are acceptable to an organization (Brandel, 2007). Security should constitute an entire facet of the business itself and should be implemented by identifying key performance indicators built around existing business goals and organizational objectives. Risk management is not a stagnant process but a continuous one that has to be constantly re-visited and modeled based on changing requirements and needs of the organization in question (Brandel, 2007).
According to National Institute of Standards & Technology (NIST), the overall aim of an organization’s risk management framework is to provide an effective means of fulfilling the mission of the organization. This risk management strategy extends beyond the protection of IT assets. It’s both a technical and managerial function of the IT and security departments (Stoneburner, Goguen, & Feringa, 2002). If effective security principles can be modeled to center around business objectives, then organizations will learn to incorporate security as a core component of their corporate culture.
This has long-term rewards that most organizations will benefit from for a long time to come. References Brandel, M. (2007, October 16). Harland Clarke Rechecks Risk Management. Retrieved May 18, 2009, from CSO Security & Risk: www. csoonline. com Stoneburner, G. , Goguen, A. , & Feringa, A. (2002). Risk Management Guide for Information Technology Systems. Falls Church, US: National Institute of Standards & Technology. VeriSign. (n. d. ). Information Security and Risk Management. Retrieved May 18, 2009, from VeriSign: http://www. verisign. co. uk/managed-security-services/enterprise-security-info/vulnerability-management/