Like many organizations that handle large volumes of financial transactions, the Airlines Reporting Corporation...
(ARC) must meet annual Payment Card Industry Data Security Standard (PCI DSS) compliance requirements to improve cardholder data protection controls and reduce credit card fraud.
These PCI DSS compliance activities are necessary, but shed little insight on the reality of risk and how it impacts the overall business. For example, PCI DSS audits provide a glimpse into credit card security practices, but the attention is focused on only a portion of ARC's data protection and security program.
In addition, PCI certification assessments are only annual events and don't offer visibility into the organization's continuous control environment and security posture. Tracking and measuring performance on a regular basis requires a constant effort to pull together documentation for executives and auditors, especially when the process is handled manually with spreadsheets and SharePoint.
Organizations can benefit by shifting the corporate culture from one that focuses on meeting IT compliance obligations to one that targets overall operational risk reduction. As the guardian of data that impacts all aspects of the business, the CISO is often in the optimal position to drive this transition throughout the organization.
One of the best ways a CISO can change the conversation is to start small and expand by leveraging existing frameworks and programs. Here are six steps to build an effective enterprise risk management program:
Pick a framework
To support this top-down approach, ARC selected the ISO 27001 standard as a baseline framework. The information security management system standard provides a holistic set of policies, processes and systems to manage information risk. We automated the ISO 27001 certification process and ongoing risk assessments using our third-party GRC tool. This established a platform upon which to build a successful enterprise risk management program. The GRC tool made risk-related information readily available and accessible to the organization. For example, a heat map illustrates residual risk and can be used to pinpoint vulnerable areas. There are plenty of good frameworks such as ISO 27001 available, but the trick is to pick one that best aligns with your organization and its goals.
Since we were trying to broaden our risk management discussion to an enterprise-wide view, ARC defined scope at the business-process level. ARC leveraged disaster recovery and business continuity information to define the program's scope, including prioritization and identification of critical business techniques and related risk.
For example, our business continuity plan identifies all business processes and ranks them in order of criticality. Our disaster recovery plan does the same for technology systems that support the business practices identified in the continuity plan. We defined the scope of our efforts to include thirteen business-critical processes identified in the business continuity list. This helped concentrate our enterprise risk management efforts on what mattered most to the organization from a business and operational perspective.
Critical business processes and their associated risk were identified by leveraging methodologies outlined by organizations such as ISACA, the SANS Institute and the National Institute of Standards and Technology. We evaluated threats to the business and identified potential risks posed by those threats, along with potential controls to mitigate those risks. The identified risks were evaluated in terms of their likelihood and impact. The goal was to determine which threats could jeopardize business objectives or critical strategy. Controls to offset these risks were then evaluated, and residual risks were ranked. The higher the ranking of the residual risk -- which for ARC focused on documentation, access, monitoring and security controls -- the more urgent the risk was to address.
Develop an action plan
ARC then created a risk treatment plan to resolve any identified gaps. As mentioned above, each residual risk was ranked. Those that were deemed to be above our risk tolerance were added to our project list for additional scoping and reduction efforts. Any actions below our risk tolerance were designated "acceptable risk" and documented, with no further action taken on these risks until the next evaluation process.
Treat, measure and monitor
ARC then determined detailed risk alleviation steps and established a consolidated set of metrics for operational risk events. These processes are monitored on a regular basis. Metrics determine how the enterprise risk management program is progressing, how it varies from policy, the number of operational risk incidents and key control deficiencies. Each metric is produced monthly, discussed with the executive team and stored using our GRC tool. By using the Capability Maturity Model (CMM), we were able to set out both interim and long-term enterprise risk management program goals that outline improvement.
Where possible, ARC uses a GRC tool to automate inefficient and ineffective manual processes. Vulnerability management, risk assessments, deficiency tracking and remediation are all examples of activities that used to be handled by a spreadsheet or email. These processes now occur within a centralized, automated, fully accessible and accountable system. When choosing a GRC tool, look for one that is easy to implement without much help from consultants. It also helps if the GRC tool is used across an organization, and targets controls and processes for a variety of departments. This allows the company to easily tie risk processes together and see the overall business impact.
It's important to change the enterprise risk management conversation from a siloed, bottom-up one with compliance as the only goal to an enterprise-wide approach. Visibility into the overall security posture of the organization is the cornerstone to establishing this new dialogue, as well as developing a common risk management language with key internal and external constituents.
About the author:
Rich Licato has more than 20 years of experience in IT security risk and compliance, operational and enterprise risk management and systems development. Licato is chief information security executive at Arlington, Va.-based Airlines Reporting Corporation, where his responsibilities include information security, physical security and business continuity. Rich is also an Advisory Council Member for the CISO Executive Network, a peer-to-peer organization dedicated to making information security, IT risk management, privacy and compliance executives be more successful.
Modern business realities force converged risk management approach
The keys to moving from reactive to proactive risk management