 |
 |
 |
|
Risk Managers' Forum Protecting information Risk management strategies for data security By Leonard J. Watson, Ed.D., CIC, CRM, CPCU, AIC Most organizations use some form of computer records to file, sort, and manage data collected as part of their normal operations and business transactions. Whether a firm is producing tangible products or providing a service, it commonly maintains data about such things as customers, vendors and suppliers, employees, financial activities, and regulatory compliance. While the complexity of these common records varies according to the size of the organization and the scope of its operations, the need for data and the information developed from the data is universal. However, over the past 20 years the volume of data, the speed with which it is collected, and the ease with which it can be accessed by almost anyone has changed dramatically. But do organizations recognize the magnitude by which risk has expanded as a result of the greater quantity and importance of the data that is now so easily accessed? And do those organizations that recognize the dramatic increase in risk from use of information systems assign accountability to a specific member of senior management for data integrity, confidentiality, and availability? Assuring data integrity, confidentiality, and availability should be of primary concern to information system security specialists. Unfortunately, not every organization is able to employ full-time information system security specialists, so the person assuming overall risk management responsibility is likely to be the one who must address these three data/information concerns. In organizations without a risk management professional to oversee the integrity, confidentiality, and availability of data, this responsibility falls by default to the senior executive. Those who provide risk management services on a consulting basis, which often includes insurance and loss control professionals, are becoming increasingly aware of the importance of developing and implementing risk management strategies specifically for data and information. Here are several actions for planning data security strategies: • Identify and rank common categories of data risk. • Survey stakeholders for improvement opportunities. • Apply risk management techniques to improve data/information integrity, confidentiality, and availability. To begin creating a strategy designed to improve the integrity, confidentiality, and availability of data, risk managers may find it helpful to determine who has access to data, whether the levels and types of access currently granted are appropriate, and whether the organization’s best interests are being served by the current authorities. For example, do marketing/sales personnel need access to both the organization’s product and financial databases? If so, do they need this access both at their office and from remote (Wi-Fi type) locations? Would the organization’s operations be adversely affected if current access is modified in some way? In this example, perhaps the marketing/sales personnel need remote access to the product database only and could use more secure connections when accessing more sensitive company data. Risk managers, particularly those who serve on a consulting basis, may lack adequate understanding of the variety, use, and control of a particular organization’s various types of data. Before appropriate improvement recommendations can be made, a survey of stakeholders can be useful. Stakeholders from whom useful information can be developed include: customers, vendors/suppliers, regulators, owners/stockholders, current operational employees, past operational employees, current executive employees, and past executive employees. Specific questions included on the survey should be designed to determine how, when, and where these stakeholders use specific types of data. Questions can also be helpful to solicit opinions about how data can be misused and improperly handled. Organizational surveys are common tools of the risk management profession. Applying a risk management strategy to improve data integrity, confidentiality, and availability first requires top management’s commitment. Top management must also assign accountability and ownership of each of the organiza-tion’s primary data systems to a member of senior management who knows how that data is used and who has a stake in its continuing availability. Managing data security, as with any risk management action, is an ongoing process, and not a quick fix. So it is important to produce regular progress reports and distribute these to senior management and to those who can most strongly influence data security improvements. It is also important to assess the organizational benefits of the improvements and to determine whether or not the improvement outweighs the costs. For example, while it might improve security to restrict Internet access to product details, key sales representatives may require most of the detail to achieve sales objectives. It is useful to compare the consequences of a proposed change with the consequences of not making that change. All of an organization’s stakeholders must be committed to long-term diligence in managing data security. The risk management profession can help structure and implement strategies to improve data integrity, confidentiality, and availability. But actions that result from the implementation of any strategy must be integrated as part of the organization’s overall process of minimizing risk to achieve financial success. * The author |
|
|||||||||||||
| ||||||||||||||
