Calling all IT managers. Do you know where your data is? Chances are, it just might be left in the back seat of a cab. In years of consulting with Wall Street clients, John Pironti, a board member of ITGI (IT Governance Institute) and chief strategist for Getronics (www.getronics.com), has learned that some of these security-obsessed financial giants lose as many as 10 BlackBerrys per day. A 2005 survey by CheckPoint Software

(www.checkpoint.com) found more than 25,000 PDAs and laptops left in Chicago taxis over a six-month period. Many have unsecured, confidential data that, if in the wrong hands, could have significant adverse ramifications—a third of CheckPoint’s respondents don’t use passwords or any other security protection on their mobile devices. 

This behavior belies the beliefs of many executives, however, as a recent study by the ITGI found 80% of the CEOs and CIOs surveyed believe that IT risk management is important. Unfortunately, many of these same executives are largely paying lip service to the problem; only 30% have implemented measures to improve IT risk management within their organizations. 

While the discipline of risk management and mitigation is broad and highly specialized, there are some basic steps companies can take to characterize and improve their risk profiles. 

Key Elements Of A Risk Management Program

According to Pironti, “The best way to ensure a fighting chance of discovering and defeating information exploitation and theft is to take a disciplined, programmatic approach to discovering and mitigating threats and vulnerabilities.” For companies just embarking on a risk management project, he recommends a simple, three-step program that incorporates an asset inventory, threat and vulnerability analysis, and subsequent vulnerability management. 

An asset inventory is a necessary prerequisite for any succeeding work because, he notes, “to protect information, it is essential first to know where it resides,” both physically and logically within the IT infrastructure. Bryan Fish, founder and president of Securityworks (security-works.com), a company specializing in risk and security management tools, concurs, saying that the first thing companies need to understand is what information is most important to their businesses. He adds that finding where this information lives and what business processes touch it allows IT to “get a system-wide view of the risk ecosystem.” 

After identifying the most important information assets, the next step is to perform an actual risk or threat assessment. There are almost as many methodologies for doing a threat analysis as there are practitioners in the field, and their level of rigor and formality varies. Pironti has developed a relatively simple methodology using the timeless journalistic questions of “who, what, when, where, why, and how” as windows into the threat environment. His technique starts by looking at the type of adversary (who), whether a script kiddie or motivated professional criminal, is likely to attack a company’s infrastructure and goes on to focus on areas they are most likely to attack (what). Next, he examines likely time and place (when and where) of attack, adding, “The most popular day to launch an attack is Christmas” because the intruders know most people are on vacation, and IT departments probably have their defenses down. 

The last stage of an assessment involves understanding the technical details of how various attacks are carried out (how) and what an adversary’s motivation might be (why). This includes thinking about the likely security holes or schemes that might be used, such as whether the attack is focused on employees, using so-called social engineering techniques (commonly used in phishing schemes), the network infrastructure, or business applications. 

Once a thorough threat assessment has been performed, the final element of a risk management program involves eliminating or mitigating vulnerabilities. Again, Pironti suggests a sequential, multifaceted approach: development of countermeasure plans, implementation of controls and processes, collection of metrics and measures, and the gathering of background intelligence to interpret the data and anticipate future threats. 

Once companies have established some maturity in risk management and vulnerability analysis, an added level of sophistication entails using the collected data and reports to prioritize future IT security projects and spending. According to Caroline Ramsey Hamilton, president of RiskWatch (www.riskwatch.com), "a cost benefit analysis combines information from the vulnerability assessment along with relevant threat data and asset information. . . . The result of the cost benefit analysis will be to create a return on investment (ROI) ratio, balancing the value of the information against the cost of controls to protect it.” 

Experts agree that most businesses should conduct a thorough risk assessment annually, although Fish says that more stable environments may be able to get by with less frequent examinations. Even in those situations, he recommends IT perform less formal, ad hoc risk assessments whenever new applications are added to the environment. Pironti has a different perspective, advocating that risk management and vulnerability assessment be incorporated into the daily processes of IT security professionals. He advises companies to maintain awareness of emerging threats, through simple activities such as checking CERT (www.cert.org) to “see if there’s anything going on.” 

Standards, Regulations & Automation Tools

IT organizations interested in pursuing a more rigorous risk management approach will find no shortage of industry standards and best practices. Yet going through reams of documentation can make filling out a 1040 seem easy. Fortunately, there are a number of software automation tools available to assist those needing to meet the specific requirements of these standards and regulations. 

The complexity, ubiquity, and dynamism of today’s networked and mobile IT environment means businesses must put greater emphasis than ever on understanding and managing risk. While implementing formal processes are important, Pironti cautions companies against thinking formalism and technology offer magic bullets. He concludes that you need to ingrain risk management into a company’s ethos: “It’s really a cultural thing, not a technological thing.”