2.2 Information Security Risk Management Principles

This section focuses on information security risk management principles. This is where we look at some of the philosophical underpinnings of an information security risk management approach. The principles shape the nature of risk management activities and provide the basis for the evaluation process. We group principles into the following three areas:

The ten information security risk management principles, shown graphically in Figure 2-1, are discussed in turn in the next section.

2.2.1 Information Security Risk Evaluation Principles

We begin our examination of principles by focusing on the concepts that drive information security risk evaluations. This category includes the following four principles:

These principles provide the foundation for a successful evaluation. They focus on the roles of organizational personnel, key aspects of the process, and the link to ongoing security improvement activities. The first principle that we look at is self-direction.

Self-Direction

Self-direction describes a situation in which certain people in an organization manage and direct information security risk evaluations for that organization. These people are responsible for directing the risk management activities and for making decisions about the organization's security efforts. This approach allows the evaluation to consider the organization's unique circumstances and context. Self-direction requires

• Taking responsibility for information security by leading the information security risk evaluation and managing the evaluation process

• Making the final decisions about the organization's security efforts, including which improvements and actions to implement

Adaptable Measures

A flexible evaluation process can adapt to changing technology and advancements. It is not constrained by a rigid model of current sources of threats or by what practices are currently accepted as "best." Because the information security and information technology domains change very rapidly, an adaptable set of measures against which an organization and its unique context can be evaluated is essential. Adaptable measures require

• Current catalogs of information that define accepted security practices, known sources of threat, and known technological weaknesses (vulnerabilities)

• An evaluation process that can accommodate changes to the catalogs of information

Defined Process

A defined process describes the need for information security evaluation programs to rely upon defined and standardized evaluation procedures. Using a defined evaluation process can help to institutionalize the process, ensuring some level of consistency in the application of the evaluation. A defined process requires

• Assigning responsibilities for conducting the evaluation

• Defining all evaluation activities

• Specifying all tools, worksheets, and catalogs of information required by the evaluation

• Creating a common format for documenting the evaluation results

Foundation for a Continuous Process

An organization must implement practice-based security strategies and plans to improve its security posture over time. By implementing these practice-based solutions, an organization can start institutionalizing good security practices, making them part of the way the organization routinely conducts business. Security improvement is a continuous process, and the results of an information security risk evaluation provide the foundation for continuous improvement, which requires

• Identifying information security risks using a defined evaluation process

• Implementing the results of information security risk evaluations

• Setting up the ability to manage information security risks over time

• Implementing security strategies and plans that incorporate a practice-based approach to security improvement

2.2.2 Risk Management Principles

Now that we have presented the information security risk evaluation principles, we broaden our focus to risk management. The principles in this category are common to general risk management practices; they are not unique to information security. We first identified these principles when we were developing risk management techniques for software development projects [Dorofee 96]. This category includes the following three principles:

Forward-Looking View

A forward-looking view requires an organization's personnel to look beyond the current problems by focusing on risks to the organization's most critical assets. The focus is on managing uncertainty by exploring the interrelationships among assets, threats, and vulnerabilities and examining the resulting impact on the organization's mission and business objectives. A forward-looking view requires thinking about tomorrow, focusing on managing the uncertainty presented by a range of risks. It also requires managing organizational resources and activities by incorporating the uncertainty presented by information security risks.

Focus on the Critical Few

This principle requires the organization to focus on the most critical information security issues. Every organization faces constraints on the number of staff members and funding that can be used for information security activities. Thus, the organization must ensure that it is applying its resources efficiently, both during an information security risk evaluation and afterwards. A focus on the critical few requires (1) using targeted data collection to collect information about security risks and (2) identifying the organization's most critical assets and selecting security practices to protect those assets.

Integrated Management

This principle requires that security policies and strategies be consistent with organizational policies and strategies. The organization's management proactively considers trade-offs among business and security issues when creating policy, striking a balance between business and security goals. Integrated management means (1) incorporating information security issues into the organization's business processes and (2) considering business strategies and goals when creating and revising information security strategies and policies.

2.2.3 Organizational and Cultural Principles

The final type of principle that we will examine is the broadest of all: organizational and cultural principles. Like the risk management principles, these are not unique to the information security domain. Organizational and cultural principles help to create an organizational culture conducive to effective risk management. From our experience, if these principles are not part of the way an organization conducts business, many issues will go unnoticed. People will not communicate key risks, nor will they work together to address them. Since information security is such a complex discipline, it spans the entire organization. Implementing these principles is essential to create an environment that supports an open exchange of ideas. Those organizations that are unsuccessful in implementing a risk management approach often fail because they violate these principles. This category includes the following three principles:

Open Communication

One of the most important principles, open communication, is also the most difficult to implement. Yet information security risk management cannot succeed without open communication of security-related issues. Information security risks cannot be addressed if they aren't communicated to and understood by the organization's decision makers. A fundamental concept behind most successful risk management programs is a culture that supports open communication of risk information through a collaborative evaluation approach. Often, evaluation methods provide staff members with ways of expressing issues so that the information is not attributed to them, allowing for a free expression of ideas. Open communication involves three aspects:

Global Perspective

This principle requires members of the organization to create a common view of what is most important to the organization. Individual perspectives pertaining to information security risk are solicited and then consolidated to form a global picture of the information security risks with which the organization must deal. Such a global perspective means (1) identifying the multiple perspectives of information security risk that exist in the organization and (2) viewing information security risk within the larger context of the organization's mission and business objectives.

Teamwork

No individual can understand all of the information security issues facing an organization. As noted, information security risk management requires an interdisciplinary approach, including both business and information technology perspectives. The teamwork involved requires

• Creating an interdisciplinary team to lead the evaluation

• Knowing when to include additional perspectives in the evaluation activities

• Working cooperatively to complete evaluation activities

• Leveraging people's talents, skills, and knowledge

The principles defined in this section are broad concepts that form the foundation for information security risk evaluation activities. The next section explores how these concepts can be implemented in an information security risk evaluation approach by focusing on information security risk evaluation attributes.