I would venture a guess that if you looked within your organization today for your operational risk, privacy and security functions, that they’d either be in their own independent departments, tucked under someone whose primary responsibility is something completely different or do not wholly exist anywhere at all. This seems to be especially true for operational risk and privacy functions, but there are still organizations that are building security teams from scratch.
Is this a bad thing? Well, possibly, but every organization is different. To play off of Lord of the Rings a bit in my title, I would argue that you can leverage operational risk to manage both privacy and security aspects of your organization. What if you were in this situation in your organization and you had the opportunity to fix it? How would you do it?
As an information-technology professional for the last 22 years, any time that I start a new program, I do one thing: complete a gap assessment.
So, then, what would you use as a best practice framework to assess against? If you align a standard risk assessment and fold in a privacy assessment, you're two-thirds of the way there. Once you have these, you can start building that third layer of security to start addressing the gaps. As is often said in the privacy world—and I paraphrase—privacy is what we are protecting, and security is how we're doing so. I would say risk is the key to properly prioritizing the "what" and "how" of both worlds for organizations, and it's often forgotten as an important layer.
So let’s assume you've determined the gaps, the prioritization and the plan on how you will move forward; now what?
Practice what your message is, and make sure you can get it out quickly and understandably so that they understand the risks of not completing the plan.
Awareness
You may have involved various key parties while assessing gaps, but now you have to get buy-in to any recommended mitigation plan. Start with executive management, packaging your message into a format that is easily digestible and immediately shows the value of your plan. Practice what your message is, and make sure you can get it out quickly and understandably so that they understand the risks of not completing the plan.
Once you have that buy-in, share the plan with the other layers in the management chain to understand how this will impact them and that they will need to prioritize this work.
A common gap where awareness helps is in contract negotiations. If you are negotiating an agreement with a vendor or a customer and they delete security and privacy requirements that your organization is accountable for enforcing with third parties, explaining the risks involved to the management and legal teams who are assisting with the negotiation is critical; otherwise, it is likely that the deletions will be accepted without a true understanding of how that action will have an effect on compliance and potential liability in a breach.
Mitigation Management
It may not be your job to clear all roadblocks, but if you can help, then you are more likely to be successful.
Once the awareness of the gap remediation program has been fully socialized, follow-up is critical. You can’t assume that just because you came to agreement in a meeting that the work will automatically be done. Set periodic reviews with the owners of the projects, and ensure you understand roadblocks. It may not be your job to clear all roadblocks, but if you can help, then you are more likely to be successful.
A risk register is a good example of how to manage the priorities within a mitigation plan. Within a risk register, risks—otherwise known as gaps—are prioritized based on your organization’s risk thresholds, so risks ranked highest can be tackled first with the limited resources in your organization.
Reporting
Periodic reporting to all levels of management and board members is the last must-happen part of the program. If projects do stall, senior management will be the most capable to clear paths to completion. As with the initial reporting, ongoing reporting must be clear and concise, showing how value is added with each completed task. Focus on increase in efficiencies and effectiveness in processes as those are more tangible to the business itself and can more readily impact bottom line. If you haven’t answered "why" something needs to get fixed to a level that makes business sense, keep asking yourself that question until it does.
How would you show value? By tracking not only the successful completion of your gap analysis remediation plan but also with trending metrics of how processes are performing to show the value that you seek. That, and after a year or so you can brush off frameworks that you used to do the original assessments and do a follo- up to see if anything new has emerged. Adhering to a combination best-practice framework of privacy and security will provide, at the very least, the minimum control environment needed to support both worlds.
Tools
What tools can you use to help complete the above program? Below are links to risk and privacy assessments, security framework overviews and reporting examples.
NIST Risk-Management Framework
Examples of Privacy Impact Assessments
Variety of risk-management aspects
Look here for Risk Reporting Form in Appendix Three
Interesting discussion on perception of risk reports
photo credit: Envelope 007 : Playful Protection via photopin (license)
Comments
If you want to comment on this post, you need to login.