Cyber insurance provides an opportunity to address residual risk in your information security program to offset the costs due to a data breach of ePHI. However, individuals polices, coverage and exclusions are highly variable, so just like any security control it's important to understand your security risk profile before an appropriate security insurance policy can be defined. An assessment, such as a HIPAA Security Risk Analysis should be the first step in any insurance policy strategy. Here's why: A) You'll have to do it anyway, B) The safest approach is to avoid a breach in the first place, C) Your risk profile will enable a better tailored policy.
In my last few posts I mentioned using risk management as an effective mechanism for combating cyber crime. A number of readers from the LinkedIn Information Security Group asked about recommendations for improving their risk management processes:
“In my corporation risk management is mostly controlled by finance. We can’t seem to get a discussion of IT risk, particularly cyber crime, on the executive staff agenda. Do you have any ideas to improve our situation?”
“We invested in the COSO framework to manage regulatory compliance, but risks to the business such as cyber crime are still addressed on an ad-hoc basis. What do you recommend?”
Improving the effectiveness and efficiency of IT risk management is a subject that could easily fill a multiple day workshop, but allow me to offer a few suggestions in high impact areas. The first area to address is the language used to describe risk. The MIT Sloan Center for Information Systems Research has done some well regarded work in this area. The major idea is focus IT risk on four major areas: availability, access, accuracy and agility and drive the discussion around impact to the business. Executive management teams respond more effectively to risks they understand, however unpredictable, than to one’s they don’t. IT risks are often the least understood. Most management teams do not know how to think about IT risk beyond the immediate impact on IT operations of viruses, data breaches and failed business continuity programs. They have not made the connection between failing servers and failing business operations; or between taking shortcuts and giving clear guidance.
Every IT risk has a business consequence. Yet often the decision making process around IT risk gets bogged down in technical details. What’s needed is a simple way to clarify tradeoffs and make better decisions. I’ve found that if business leadership can focus on four key IT risks they are more willing to bring the IT agenda to the table and make better informed decisions. Let’s briefly look at the 4 A’s.
Availability: This means keeping the systems running. IT needs to communicate regularly to executive staff on the availability risk to major business processes and ensure there is a business continuity plan in the case of failure.
Access: This is defined as ensuring access to systems and data. IT is responsible for providing the right people with the access they need and ensuring that sensitive information is not misused. The IT organization must regularly discuss risks associated with data loss, privacy violations and inappropriate use.
Accuracy: This means providing complete, timely and correct information that meets the requirements of customers, suppliers, regulators and management. Compliance with Sarbanes-Oxley is a common source of accuracy risk for enterprises in the United States. IT should review with management the sources of accuracy risk (and risk mitigation programs) such as the inability to get accurate, consistent, global view of key customers and product/service sales.
Agility: This is defined as the ability to make the necessary business changes with appropriate cost and speed. A specific example of agility risk would be the delay or cancellation of a merger because of the risk of integrating IT systems. The IT organization needs to discuss these risks so that management can make informed decisions and not hedge their bets because they don’t believe IT can deliver on time.
The second area to look at in terms of the effectiveness of your risk program is consistent usage of risk severity levels and the associated actions. At Redspin we use five levels:
• Critical – Corrective measures are required immediately.
• High – Strong need for corrective measures. An action plan must be put in place as soon as possible.
• Medium – Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.
• Low – Management must determine whether corrective actions are required, or decide to accept the risk.
• Informational – The issue does not indicate a material violation but is something for management to consider for enhancing the overall security posture.
Drive these definitions into your risk mitigation programs, policy specifications and controls.
The last area I will suggest concerns making a business impact with these ideas for managing risk. Rather than focus on technical risks, concentrate the energy of the IT team to frame risk associated with key business processes that drive the business. An example of a common key business process that exists at nearly every organization is quote-to-cash or lead-to-support. Make an effort to quantify and explain to executive staff the risks to the infrastructure, applications and personnel that support this key business process. Identify the high impact risks, the threat probability and your plan of action. Get on the business agenda and review your progress on a regular basis. A common result is that the IT and security teams are viewed less as a cost center and more as an enabler of business goals.