The Risk Lowest Common Denominator
“How much cyberrisk are you willing to accept?” can be one of the hardest questions to answer for an organization. Without proper guidance, the answer tends to be something along the lines of “We do not have any appetite for cyberloss.” But this is really a question that we deal with fairly regularly in our daily lives, just in other contexts. We can learn a lot about how to answer this question from how we handle it in our personal lives.
Let us say that you have purchased a new vehicle and need to procure auto insurance. You know that there are regulatory guidelines on these policies, but that insurance companies offer levels of coverage in excess of those guidelines. You also can reduce your premiums based on how much you want the deductible to be. If the premium is more than what you are comfortable paying, you can accept more risk in the deductible to reduce it.
The same kind of scenario plays out in other risk-insurance marketplaces in which we participate. Health insurance is one example, but there are many others. We have to decide if we want to pay for the extended warranty on our appliances and video games. When we buy a plane ticket, we have to decide if we want trip cancellation insurance. If you are unsatisfied with the coverage limits on your home and auto policies, there are umbrella policies available that give you additional limits of coverage in the rare event that you find yourself on the receiving end of a very serious lawsuits. Each of these examples is very different and yet also has a common thread.
These insurance companies are not asking you to express your risk appetite in terms of counts of things. The answer to your trip cancellation risk is not “I have no tolerance for missing my holiday trips” or a measure of how many trips you are okay with missing. In cyberrisk, this manifests itself in immature risk appetite statements, such as “We have no appetite for cyberrisk,” which is the functional equivalent of saying “We have no appetite for death.” Pretending we have control over the inevitable has not been shown to be an effective prophylactic. Far too often, metrics are developed for risk appetite that are based on what is easily within reach and expressed as counts: percentage of records, number of incidents, number of servers. When compared to other insurance marketplaces, this is not helpful in measuring risk: Your auto insurance does not make mention of the number of accidents. They want to know your financial risk appetite for auto-related losses and injuries.
Increasing the risk maturity in cyber necessarily means expressing loss in cost of risk. It is really the lowest common denominator of risk. This allows us to cleanly compare cyberrisk, credit risk, financial risk and so on. Do not be swayed by arguments that intangibles, such as reputation, cannot be measured. All measures have degrees of precision and variability. As a result, when expressing risk quantitatively, it is imperative that any financial amount shows ranges of loss to better inform management’s risk decision-making and convey an uncertainty inherent in those measures.
Jack Freund, Ph.D., CISA, CRISC, CISM, is senior manager of cyberrisk framework for TIAA, member of the Certified in Risk and Information Systems Control (CRISC) Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, and IAPP Fellow of Information Privacy.
Audit Program Helps Ensure Your Processes, Controls and Policies Are HIPAA Compliant
The US Health Insurance Portability and Accountability Act (HIPAA) provides privacy and security for protected health information (PHI). In addition to HIPAA providing PHI safeguarding standards, the US Health Information Technology for Economic and Clinical Health Act (HITECH) establishes breach notification requirements and requires periodic HIPAA compliance audits. The US Health and Human Services’ Office for Civil Rights (OCR) performs these audits to provide management teams with an independent evaluation of the effectiveness of their HIPAA implementations and to highlight areas to enhance compliance.
The ISACA HIPAA Audit/Assurance Program provides a means for entities to internally evaluate their processes, controls and policies. Having identified any potential gaps between their practices and HIPAA requirements, corrective action can be taken prior to an OCR audit or compliance review. The audit areas include, but are not limited to, the following:
- Authentication—Addresses the risk associated with sensitive information access and location. Authentication associated with users and server communication of sensitive information are both covered in this audit program.
- Access management—Addresses the organization’s control program to ensure unauthorized access does not compromise confidentiality. This audit program covers administrator access (i.e., system and database administrators) access levels that may allow controls to be bypassed.
- Continuous monitoring—Ensures access violations are identified, evaluated for risk, and escalated for investigation and/or to prevent recurrence.
Conducting a formal assessment of an organization’s HIPAA compliance allows an enterprise to avoid reputational risk, operational risk and financial risk (i.e., noncompliance fines/penalties). The ISACA HIPAA Audit/Assurance Program provides IT auditors with the tools to evaluate all systems that a covered entity uses to collect, maintain or use protected health information. This audit program can be downloaded by visiting the HIPAA Audit/Assurance Program page of the ISACA website.
Renew Your Membership for the Upcoming Year
This year is rapidly coming to a close and your 2017 ISACA membership is about to expire. Renew today to ensure you reap every member benefit available in 2018. Our latest member offerings include member-exclusive partner content featuring The Massachusetts Institute of Technology’s (Cambridge, USA) (MIT) Center for Information Systems Research and Wapack Labs. There is much more on the horizon, so be sure to visit the MyISACA tab on the ISACA website to review your status and renew now.
White Paper: Ensure Your Security With Vulnerability Assessment
Assessing vulnerabilities is integral to creating a strong organizational security program and is mandatory for compliance in many instances. Bolstering weaknesses that can be exploited by malicious actors can be accomplished through identification. Vulnerability assessments do not function like ethical hacking or penetration tests; however, they allow enterprises to focus on reconnaissance and discover weaknesses in the environment.
This Vulnerability Assessment white paper provides an overview of what vulnerability assessments are, how they are used, and the role that they play in ensuring an effective and comprehensive audit and security program. A vulnerability management system (or process) can identify, analyze and remediate enterprise issues and help enterprises realize the true value of the vulnerability assessment. Vulnerability assessments can work hand in hand with penetration testing exercises because they can provide the initial intelligence that penetration testers will use to isolate vulnerabilities to exploit them and simulate attacks.
You can access the complimentary ISACA white paper on the Vulnerability Assessment page of the ISACA website.
Explore the Future of IoT With This White Paper
The Internet of Things (IoT) connects humans with technology, potentially seamlessly, both at home and in business. When combined with machine learning and artificial intelligence, IoT creates vast opportunity not only for innovators, but also for law-abiding citizens, mischief makers and criminals. Given the rise in cybersecurity breaches as of late, one may wonder if the benefits of IoT can be achieved safely or if more consideration is needed to understand IoT risk.
The ISACA Assessing IoT white paper examines the upsides and downsides of IoT and identifies new challenges and opportunities. It explores the idea that IoT may allow greater collaboration among IT, engineering and business disciplines. This white paper also considers whether consumers and enterprises are patient enough to implement IoT safely and responsibly (albeit slowly), or whether they simply adopt the latest smart device as quickly as possible regardless of consequences. The speed of the market impacts decisions, but risk should not be ignored. This white paper explains why the IT professional should care about IoT as the future, and consider being proactive about the responsibility and accountability surrounding IoT from creation to destruction.
You can access the complimentary white paper on the Assessing IoT page of the ISACA website.