Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1 ISACA JOURNAL VOLUME 4, 2013 2013 ISACA. All rights reserved. www.isaca.org
organizations and includes information risk management as practices, source materials and intelligenceas well as
one of its functions. The use of an information risk profile is individuals involved in its developmentare not provided as
often an effective way for traditional security professionals to part of the document. This information can be referenced as
integrate with this concept. The profile provides important part of an appendix to the document and include links to the
insights and guidelines associated with information risk materials themselves.
identification and management. The ERM function can then
leverage this information as it calculates overall enterprise risk Business-state Representation of Information Risk
and develops control objectives and management practices to The information risk profile should include a current-state
effectively monitor and manage it. The structure of the profile analysis of identified information risk factors that have
provides a framework that easily and logically organizes data a reasonably high probability of occurrence and would
for the organization to leverage as needed. represent a material impact to business operations if realized.
The descriptions of risk should be brief and expressed in
Information Risk Profile Structure language that is recognized and understood by both business-
An organizations information risk profile should be structured and technology-oriented personnel.
and formatted in a fashion that quickly demonstrates its The current-state representation should also include the
value and intent to the organization, is easily understood organizations IRM views, expectations and requirements.
and applicable to the organization as a whole, and is viewed This should include identification and analysis of the opinions
as useful and beneficial to its leaders and stakeholders. The of business leaders and stakeholders and their views on
following can be useful in meeting these goals. information risk and security, a description of current business
conditions, current threat and vulnerability analysis outcomes,
Guiding Principles and Strategic Directives and expectations of external parties (i.e., customers, partners,
An organizations information risk profile should include vendors, regulators). This can also assist in the development
guiding principles aligned with both its strategic directives of future-state objectives and requirements.
and the supporting activities of its IRMS program and
capabilities. This information should be listed early in the Future-state Objectives and Requirements
profile to allow the reader to understand its context and The future-state objectives and requirements identify the ideal
intent. Common guiding principles include the following: state of information risk management for the organization and
Ensure availability of key business processes including general information risk appetite and tolerance. This includes
associated data and capabilities. key IRMS-related initiatives that are in progress or are soon
Provide accurate identification and evaluation of threats, to be initiated; their associated timelines for completion; and
vulnerabilities and their associated risk to allow business a brief summary of the initiatives owners, key dependencies,
leaders and process owners to make informed risk and expected level of information risk reduction at milestone
management decisions. points and at completion.
Ensure that appropriate risk-mitigating controls are An effective way of evaluating and communicating the
implemented and functioning properly and align with the future-state objectives and requirements is to use a capability
organizations established risk tolerances. maturity model (CMM) approach. An assessment of key
Ensure that funding and resources are allocated efficiently to functions and capabilities for the current and future states
ensure the highest level of information risk mitigation. using CMM can help an organization easily identify areas of
required focus and investment for functions, capabilities and
Information Risk Profile Development services that are required. Using a radar chart format (figure 1)
Transparency is a key aspect to the success and adoption of to represent these data is an effective way of communicating
an information risk profile. The risk profiles accuracy and the information and is easily understood by a broad audience.
credibility may be called into question if the methods,
2013 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOLUME 4, 2013 2
Figure 1CMM Radar Chart information risk profile provides a data dictionary that offers
a clear understanding of the data element as well as its value
Confidentiality to the organization.
5
4.5
4
Threat and 3.5 Identification of Data Owners and Stakeholders
3
Risk 2.5 Availability All data and information within an organization should be
Intelligence 2
1.5 associated with a data owner and one or more stakeholders.
1
0.5 Identifying and evaluating ownership attributes is important
0
because the owners and stakeholders are responsible for their
information risk management decisions. This activity can also
Threat and
Vulnerability Integrity assist in the identification of dependencies that can affect the
Analysis risk appetite for data assets, especially in situations where
they are required for one or more critical business functions
Risk Identification or processes.
3 ISACA JOURNAL VOLUME 4, 2013 2013 ISACA. All rights reserved. www.isaca.org
progressively stronger and more comprehensive control Figure 3Current Information Risk Levels
objectives and requirements as they ascend. by Key Business Processes
Key Business Processes Confidentiality Integrity Availability
Figure 2Data Classification Payroll and benefits High High High
Level Designation
Credit and collections High High High
5 Confidentialrestricted
Web presence High High Medium
4 Confidentialcustomer- or compliance-related
Billing and receivables Medium Medium Medium
3 Proprietary
Supply chain management Medium Medium Low
2 Internal use only
Messaging and Medium Low Low
1 Public communications
Procurement and payables Low Low Low
Risk Levels and Categories
Risk levels and categories provide a framework that can be Material Business Impact Considerations
used to organize and communicate information risk in an easily Material business impact considerations are a vital element
recognizable format. Risk levels provide a scale to represent of any information risk profile. They provide the equivalent
the level of material business impact that would result if a risk to pain chartscommonly used in health care environments.
were to be realized. The categories help to define the type of A pain chart typically uses a numerical or graphical scale
impact that would likely materialize. To be useful, the levels and and allows a health care provider to understand the level of
categories should be simple and easily understood. pain and discomfort that a patient is experiencing in order to
The following are examples of information risk levels: respond with the appropriate level of care. In the information
HighSevere material compliance, legal and/or financial risk profile, the material business impact considerations
consequences; significant material impact on critical identify the impact an incident or loss has in terms that are
business processes and/or business operations; loss of easily understandable and recognizable by the organization.
customer trust and/or damage to brand reputation These considerations should span a number of categories
MediumSignificant material compliance, legal or financial including financial, productivity, availability, reputation,
consequences; substantial material impact on key business compliance, partner and supply chain, and customer. Here are
processes and/or business operations; weakened customer some example material business impact considerations for an
trust and/or brand reputation organization that has annual revenues of US $500 million:
LowNegligible to no material compliance, legal and/or Financial: An immediate and unplanned loss equal to or
financial consequences; minimal material impact on key greater than the following list would represent a material
business processes and/or operations; insignificant change business impact to the organization:
in customer trust and/or brand reputation
The following are examples of information risk categories: Material Business Impact Financial Loss Amount
ConfidentialityThe disclosure of sensitive information to
Catastrophic US $100,000,000 and above
unauthorized individuals or systems
Major US $5,000,000 to $99,999,999
IntegrityImpact to the accuracy and consistency of data
and information Moderate US $1,000,000 to $4,999,999
AvailabilityEffect on the ability to access capabilities and Minor US $100,000 to $999,999
associated data and information Negligible Less than US $100,000
By using this method of level setting and categorization,
key business processes can then be presented in the form of a Productivity: An immediate and unplanned loss of employee
heat map (see figure 3) to visualize the associated information productivity equal to or greater than the following list would
risk levels. represent a material business impact to the organization:
2013 ISACA. All rights reserved. www.isaca.org ISACA JOURNAL VOLUME 4, 2013 4
Material Business Employee Productivity Insurance coverage of US $20 million to mitigate incident
Impact Category Percent Loss response and recovery costs for damage to information
Catastrophic 85% and above systems and data
Basic business resiliency capabilities maintained (command
Major 40 - 84%
and control, incident response, business continuity, disaster
Moderate 20 - 39% recovery), reducing the impact if a risk is realized
Minor 10 - 19% Individually, these data points provide limited value to the
Negligible 1 - 9% organization. When they are assembled together, properly
endorsed and kept current, they can provide a holistic view
Availability: An immediate complete or partial lack of of the organizations perspective associated with information
availability of one or more key business processes and risk management.
associated information assets and supporting systems would
represent a material business impact to the organization: Endorsement and Updates
For the information risk profile to be meaningful to the
Material Business Time of Unavailability organization, its leadership and stakeholders must agree upon
Impact Category (Partial or Full) and endorse it. It is important to identify in the document
Catastrophic 8 days and beyond who endorsed the profile and when it was released. This can
be done through a document change management control
Major 73 hours - 7 days
table. The information risk profile itself should be reviewed,
Moderate 9 - 72 hours
at a minimum, on an annual basis or as business conditions
Minor 2 - 8 hours change that have a potential impact on the information risk
Negligible Less than 2 hours appetite of the organization.
5 ISACA JOURNAL VOLUME 4, 2013 2013 ISACA. All rights reserved. www.isaca.org