Importance of risk management
(Apology that this article is published on the website betriakvordun.is, but the page secprico.is is still under construction but will be available in the next few months.)
Through the years I have studied quite many frameworks, standards, regulations, acts, guidelines, etc. that in one way or another address security (physical, information, cyber, operational, application or whatever you want to call it), privacy and resilience (business continuity management, disaster recovery). What they all have in common is risk management in one form or another. It might be called (privacy/business) impact assessment, resilience assessment, risk tolerance, vulnerability assessment or threat intelligence but it all has to do with risk.
The first step in risk management is to understand the context of the organization. What does it deal with? What are the products or services the organization is providing? What is the input, the processing and the output? Has any of this to do with confidentiality, integrity and/or availability? How is your supply chain? Are you part of a supply chain? Who do you rely on? Who relies on you? Who are your stakeholders or customers? Do you keep records of processing for all you operation or just for PII because only GDPR requires that? Understanding your organization means keeping detailed records of processing for everything that is done.
If you don’t understand your organization there is no way for you to understand the risks it is facing. So understand where the income is coming from, where money is spend, what could cause losses or fines, where people could be at risk, where people could be the cause of risk, how well do you protect your perimeters, who well do you protect your crown jewel, what consequences will it have if your supply chain stops, are there customers that rely on you, is the organization part of national critical or important infrastructure. This is a list without end, but the key to all is asking: “What if..?”
Origin of requirements
The business
Each organization must first and foremost look inwards when it comes to security and privacy. All measurement taken should be to make sure that the business continous to exist. Of course there are businesses that don’t care, they are in it for a short term gain. But luckily most businesses are in for a long term. Their goal is thus business continuity. For that reason the owners and management have set goals on protecting the operation against various incidents and disasters. Strengthen the resilience of the business. The main task then has to be to protect the business from the unexpected and at the same time create the environment to sustain and grow it through the opportunities that show themselves. The security function is that reason the best friend of the management and the owners.
Legal, statutory, regulatory and contractual
Another important step is to understand you legal, statutory, regulatory and contractual requirements. If you don't understand it, you might be risking breaking the rules. So understanding these requirements will reduce risk.
Many focus only on sector specific law and regulation, but all organizations have to comply endless legal, statutory and regulatory requirements. Just requirements for document retention can be very complex. In my library I have a book I bought about 20 years ago, The ICSA Guide to Document Retention by Andrew C Hamer. It specifically provides guidance for businesses established in UK. One might that this is a rather thin book, but it is over 270 pages including the index. Searching on Amazon I found third version of the book, published 2011, and now it had 372 pages and still it would only cover UK. This was only on records/documents retention. What about all the other legal, statutory and regulatory requirements?
Most contracts state various requirements. How well does the organization understand and comply with these requirements? Is there a common understanding between both parties of the contract how to interpret the clauses of the contract. My experience is that both parties seldomly agree on everything and most the time one expects more and other cuts all the corners they can get away with.
Sector specific requirements
It might be that there are some sector specific requirements, standards or guidelines that your organization is required to comply with or recommended best practices. Make sure there is a good knowledge on this with in the organization and of course compliance where applicable. But in risk treatment there is no need to just to study what your industrial sector require you. Many good ideas come from other sectors. The Cyber Resilience Act is directed towards manufacturing of network equipment (hardware and software), but why not look at these requirements to strengthen the resilience of your organization? GDPR requires records of processing, but why not (as I say above) use that to gain better understanding of your organization's activities? The AI act restricts the use of AI, but is something there that could give your organization ideas on how to protect critical information or infrastructure. DORA is full of idea how to increase resilience even though the organization does not fall under it. Same with NIS2. And never rule out that tomorrow, next week or two years from now your organization has to comply with all above mentioned regulation.
Most the time, requirements made specially to organizations in a specific sector exist because these organizations did not understand the risk in their environment, didn’t think it was important to do the analysis or ignored the risk or for the purpose of synchronization. A detailed risk assessment should catch these risks and result in they being dealt with through the appropriate risk treatment. Having been around in this business for over 30 years, I know that cutting corners has been the most common way, simply because the budget is limited for various reasons. Now when the cost of not being on the guard is getting higher it is likely that organizations see the benefits of spending money on security and privacy.
Industrial standards, frameworks, guidelines and requirements
There are basically countless documents with requirements that various sectors of businesses are required or at least recommended to comply with. Many of these frameworks have been around since last century, have grown and matured. ISO, NIST, SANS, ISF, Cobit, HIPAA, NCSC, NERC-CIP, FedRAMP, BIS, PCI DSS, WLA SCS and TISAX to name few. Then with in NIST and ISO there are endless flavors of the requirements. It is like there is no consensus on things, but still all of these documents require somekind of risk management, policies and procedures. Adding then the regulations and laws from above and nobody has sufficient overview as can be seen in job posts where acronyms are used without full understanding that nobody has the capacity to have full knowledge of each and everyone. NIS2 is 73 pages, DORA is 79 pages pages, AI Act will be few hundred, Cyper resilience act counts to few hundred, GDPR is a simple one but still close to 100 articles, PCI DSS counts to 360 pages, CIS is 82 pages, NIST 800-53 is 462 pages and ISO/IEC 27001 and ISO/IEC 27002 are together 190 pages. An then I am only mentioning 10 documents.
I work with ISO/IEC 27001 as my main building block. For that reason I have mapped most of these regulation, act, directive, framework, standard and guidelines that have crossed my path to ISO/IEC 27001 (including Annex A) and now lately also ISO/IEC 27701 (Annexes A and B). Of course not all requirements can be mapped, but then I keep records of that too.
Stakeholders
About the author
The author of the document is Marinó G. Njálsson, a consultant in the field of risk management, information security and privacy. Marinó was the security manager at deCODE Genetic from 1997-2000 and has since worked as a consultant. He has been an information security and privacy consultant for many large companies both in Iceland and around Europe. In Iceland, at VÍS, Landsbanki Íslands, covering all the country's pension funds, for the Ministry of Justice and the National Police Commissioner due to the Schengen information system, Valitor (now Rapyd), covering all elementary schools in the country, covering all kindergartens in the country and with the Commissioner of Police in the capital area. Outside Iceland at APMM (Denmark), Nokia (Finland), BMW for ISO/IEC 27001, TISAX and privacy (Germany) and Økonomistyrelsen for privacy (Denmark), to name a few.
For more information please send email to security@internet.is or Marino G. Njalsson á LinkedIn
Back to English front page