Ron's comment asking "if it's all about risk why do we call it Information Risk Management" has certainly made me think...
It's all very well for "security thinkers" to tell you all about all kinds of weird and wonderful threats to your information and "security vendors" to tell you that their "UberAntiDoodarThreatNeutraliser" will rid you of them but where should you start? What practical steps can you take now to improve your security posture?
Whatever it is that makes you money the chances are that it relies upon decisions being made based on information. The mandate of Information Security of course is to ensure that accurate information is available as quickly as possible. As I typed the last line I nearly included "...to the right people" but of course that's part of the role of Information Security 🙂
What information is valuable to your business? Many people question whether their business has information worth stealing. I've often heard "we just make widgets, we're not a bank or government, who'd bother attacking us?"
WHAT ARE INFORMATION ASSETS?
WHO you sell WHAT to and HOW much you charge is likely to be of interest to your competitors and those who may wish to enter the market. The names of the highly skilled people in your company are likely to be of interest to those who may wish to recruit them to work for a rival company.
The designs of existing products and plans for future products represent high value information assets.
Believe it or not both your old designs and any fault tracking databases including help desk calls can also be highly sought after information assets that could be used by a rival to help them avoid the same mistakes as you.
All of the items listed above represent possible information assets. You need to consider the impact of such information falling into the wrong hands and use this to write (or update) your information security policy which should define WHAT SHOULD HAPPEN and identify security controls to mitigate the threats of exposure. You also need to consider the impact of information assets not being available and write (or update) your business continuity plan accordingly.
Of course there are an ever growing number of legal requirements that you'll also have to comply to including HIPPA, SOX and possibly SB1386 each of which require you to implement effective corporate governance.
HOW DOES RISK PLAY A PART?
Our security policy should state the ways in which information SHOULD flow into and out of our organisation. The policy should include statements specifying the security controls to be used to mitigate the RISK of information exposure. Clearly it's only worth expending a certain amount of effort (time and / or money) to protect an asset relative to it's value and the risk of it being exposed. Keeping on top of the likely threats at a point in time and the level of effectiveness of current controls relative to the threats (and the current value of the assets) is what information security is all about.
I'll drill into each of these areas in further blog posts.