Companies that perform traditional
risk
management use a business impact assessment to gauge the risk a
project will introduce into the business. The engagement between
security and business is measured in information security concepts
rather than business terms. Could this be why data loss constantly
makes the headlines?
The problem
The field of information security can be seen as the team who
likes to police projects without providing useful advice and,
therefore, not only risks alienation but lacks influence. Nowadays,
business owners are asked to undergo a process that focuses
engagement too heavily on what can go wrong. This process
determines how much information security involvement is
required.
This is self-selection in that business owners will respond in a
way that meets the goals of shortening their time-to-market without
necessarily addressing the risks that a security professional would
want. If you think of the questions that are asked on an
immigration form, your answers tend to be skewed on what you
believe will get you through the gate and into your hotel in the
shortest possible time.
Are business impact assessments seen as just crude tools for
weeding out problem projects? Are confidentiality and integrity
suitable ways to measure the success or failure of a project when
making the business concept work was all that was considered?
A future approach
Perhaps it is time that the traditional model for capturing
confidentiality, integrity and availability is replaced by tracking
where data is actually used. This could be done by asking business
owners to mark out how data flows across an organisation against a
popular business model. You might even use standard controls for
projects where data does not leave the company and does not include
storage of personally identifiable information. Application
reporting (excluding financial) and monitoring facilities are
examples where agreeing in advance on acceptable flows of
information gives better service to the business by speeding up the
process to decide which projects get the most attention.
The whole process has to be tailored to the organisation and be
adaptable to the local cultural problems associated with a global
company. If the results of a business impact assessment are framed
on a spectrum compared to other projects in the same business unit
then this can be used to affect appropriate controls.
If the correct information is captured at the appropriate time
in a manner that's relative to experience, then the outcome is
right for both sides. Otherwise business impact assessment risks
becoming abandoned in favour of a reactive approach driven purely
by incidents. Business owners are already afflicted by information
overload.
Only once business impact assessments address the legitimacy of
business activities by examining the underlying models will we move
away from being policemen to proponents of business in getting the
most that technology can deliver.