Introduction
Auditing has grown its value rapidly over the years to exhibit its place in even very large organisations. "It has shifted from back-office checking team to become an important resource." (Pickett, 2005) This shift from control on staff to use of risk assessment is to set up a significant control over the business. The change has provided more scope to employees to introduce something new and experiment. Risk is a probability of occurrence of something that can affect the objectives of the organisation.
Unfortunately, before 1980s strong Risk Management Processes were not popular. After that organisations rapidly started involving risks managing processes to manage the risks and to leave behind their competitors. Risk Management is a basic component of mutual governance management and builds and operate the framework for risk management on the behalf of top management.
Information Classification is also a part of information risk management process as it also helps to secure the information by prioritizing the levels of risks and grouping the information into classes and different types of security is applied according to the classes.
Financial organisations also have lot of information that must be secure but there is no meaning of protecting every element of the organisation because some part of the information does not need to be only inside the organisation, it can be shown publically. So here concept of Information Classification is applied to define classes of the information and to perform risk management approaches to them.
This research work is to make a report after investigating information classification and risk management process by an information security consultant of IT auditing company that includes the solutions to the risks identified in risk analysis.
Identify and critically assess the importance of information classification process and other related issues.
Information is one of the most important parts of the organisation that plays a vital role in organisation for organisation's progress or success. Organisations must protect some part of information. 'Some part of information' means all the information is not necessary to be protected because some part of information is for everyone and there is no harm is disclosing it to everyone. So here the idea of information classification works i.e. to categorise the information into classes to define a level of security. These classes describe that how much security that part of information requires. "A classification system is proposed which classes information into four levels. The lowest, is the least sensitive and the highest, is for the most important data / processes. Each level is a superset of the previous level." (Boran, 1996) Classes of information usually defined for information in banks are Public or Non-classified Information, Internal Information, Confidential, and Secret Information. This is the classification that describes which part of information is visible to whom. For example, public information is visible to everyone but only that information is made visible that has no threat in doing that; Internal Information is prevented from external access, employees of the organisation can see the data and it is not critical for organisation; Confidential Information is within the banks, information is protected from external access and unauthorised people can have access to this information and may cause financial loss, it's vital to use data integrity; and Secret Information is denied from unauthorised access (whether internal or external), there are very few people who fulfil the strict rules to use the data.
Issues related to Information Classification
Information identification is one of the issues in information classification. If information is not properly identified then classification is not possible.
"Information classification systems were too complex." "As a result they rarely deliver business benefits and are often simply ignored" (Grant, 2008) Very complicated classification schemes are hard to implement and only experts can understand and do this job.
Identification of who will access the information and its purpose.
One more issue related is when "we fail to provide employees with the tools to get the job done." (Rich, 2007) Tools here mean are the resources that needed to complete the job.
Critically analyse the information classification schemes and information classification management process.
Information Classification Scheme
"One of the foundational elements of an information security program is the existence of and adherence to a formal data classification scheme." (Collette, 2006) There are even some organisations that promise to protect organisation and customer information, fail in information classification scheme's implementation.
A time-element is also included in a good information classification scheme that allows change in class or status of a part of information on a particular date and time. Example of this is earning of a public organisation which is confidential until earning announcement date. After that it changes its status to public.
Information classification schemes provide information security because it immediately identifies the security level required for that component of information and people related to it.
Tips for implementation of information classification scheme
Be aware of what can be practically achieved.
Include the key stakeholders in information classification scheme because by doing so they may support classification scheme in implementation.
Document the classification strategy and approve it from management as soon as possible.
Align with the international or even nation standards if possible.
Information Classification Management Process
The information classification management is a process of managing classification of information and protecting it from unauthorised access. Banks always divide information of their customers into different categories according to levels of risks they have. They prioritise the information access and assign access privilege only to authorised identities of the bank and the person whose information they are protecting. They gave account number, pin code, and for online users ID and passwords to access their accounts.
In this process, first step is to do some surveys, interviews or questionnaires to identify the sources of information because these sources must be protected. Then goals (e.g. authentication, encryption, technology controls, and assurance) of information protection are obtained to move to next step of identifying labels of the classes of the information. Protection measures, identified previously are then represented to information classes that are identified. Now this is the right time to classify the information, primary objective of this step is to validate the protection measure for the information sources. There is an optional but very important step of repeating any step if needed. This is important because any change or update needed, any step can be done again. (Pickett, 2005)
Demonstrate the needs for information risk management and the importance of adopting international information risk management standards.
Financial business in today's world always concerns about the effectiveness of security of information. Customers, employees, business partners, suppliers, shareholders view the technique used to manage the information risk.
Financial industries have very sensitive information that they don't afford to be corrupted or lost. Information about the customers, accounting data, plans must be protected from risks. Need of the information risk management starts from here. "Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations' missions." (Stoneburner, 2002) These needs also include:
Internal and external risks are managed with information risk management.
Information is followed throughout in information lifecycle.
Information Risk Management "Allows for timely remediation of identifiable risks across the business." (RSA, 2007)
It measures the efforts to protect most important asset of the organisation's business.
It protects the information, even if environment of the business changes.
Importance of adopting International IRM Standards
The standards that are developed by international organisations for standards are called International Standards. For different business areas, different Standards are available and these are used worldwide. Adoption of international information risk management standards in the organisations ensures the capabilities; co-ordinates the diversity and interfaces in organisations; ensures achievement of objectives; refines the information quality; helps to identify and manage risks; and enhances the mutual understanding between the organisations even geographically separated. One example of international standard is ISO/IEC: 27005 that provide Information Security Risk Management Guidelines. (Sakakura, n.d.)
Demonstrate and critically explore the concepts of information risk management in the business context.
Any organisation must have a suitable constant risk management process. IRM is a strategy that grants very efficient ways to identify, assess and mitigate information risks that information holds during its lifecycle. "This information-centric initiative allows financial institutions to devise a holistic approach to handling the various information risks that Financial Services organizations are facing." (RSA, 2010) Even if each organisation has its own way but typical steps of information risk management are:
Identify and prioritize or rank the information risks in the organisation
Select the suitable approach to manage risks and avoid those risks that the organisation doesn't want to manage.
Implement the controls to handle the risks that are remaining after avoiding.
Check continuously the efficiency of the controls and approaches of risk management.
Make improvements from the past experiences. (ICA, 2002)
Most of the organisations of any size - small, medium or large and type, usually groups the risks in Strategic, Operational, Financial, Compliance, and Environmental. To manage these risks, most commonly used methods are accepting the risks, transfer the risks (generally by insurance), reducing the risks (reducing the impact of the risks), and eliminating the risks (totally removing the risks).
Factors that cause failure in managing information risk
"To get the Benefits, you have to go about managing risk in the right way, and avoid the pitfalls that lead to failure." (Changeboard, 2009) For success of information risk management process following things should be avoided:
Inability of risk identification.
Very complex approach(s) to manage information risk. Complex way is hard to implement and also requires highly skilled and experienced people to be performed and also can be more time consuming.
Lack of resources.
Ineffective processes and structure of reporting.
Lack of teamwork in employees in the group.
Critically explore and compare the different types of information risk management terminologies used and the types of assets.
Following are the different terminologies used in information risk management.
Risk Acceptance: It is a decision of the management to accept the risks without elimination or even mitigation and it is quite possible that this acceptance is for a limited time. In two types of situations, acceptance of risk is performed. One is when the impact of risk is very low that it will not harm the organisation and other situation is when it can be handled by insurance. Another situation that can be possible is when mitigation of risks to too expensive that the organisation cannot spend that amount to perform.
Risk Avoidance: Risk Avoidance is "avoidance of some risk, or class of risks, by changing the parameters of the project." (NRC, 2005) Here projects reconfigured in such a manner that risk is disappeared or it is reduced to an acceptable level.
Risk Transfer: The risk cannot be managed by the organisation itself. Sometimes organisations are not able to eliminate or reduce the risk (reason for that may be they do not have much expert person for this). In that case, the risk is allocated to third party that can manage it is best way.
Risk Mitigation: Mitigation is decrease of the likelihood occurrence of the risk events or decreasing the impact of risk if it is going to occur. Risk mitigation should characterise the origin of the risk; identify the other strategies for mitigation, procedures and tools for every main risk and make the planning results available to all others who are part of the team for implementation.
Types of Assets
Asset is an entity tangible or non-tangible which someone owns or controls and provides some value to the owner and business. There are different types of assets in the organisations.
Operational assets: They are usually called physical assets. These type assets include some land, property or equipments which are used to perform daily activities.
Current Assets: "All available organisational resources intended to meet current expenses, running requirements or any other purpose" (Sustainablefundingcymru, 2009). All incomes, stocks, grants, employees, and contracts are included in this.
Endowment Assets: Operational assets or physical assets that are owned permanently by the owner of the organisation to get the income.
Trust Assets: These types of assets are used to fulfil the future needs and are also owns by 'trust' on community's behalf.
Investigate the risk management principles in terms of organisation information security management and develop the information risk management strategy for organisation to effectively handle the issues.
Banking organisations are providing so many services like electronic or online services to the customers. Transfer of funds, payments, corporate system of managing cash as well as automated machines accessible publically for cash withdrawal and account management are globally accepted patterns. Because information technology is changing rapidly, there are so many risks to the information in the banks. To manage the risks principles must be defined by the organisation's committee. Traditional banking principles of risk management are applicable to all banking activities. Banking activities also include online banking activities, so risk management principle must also be customized to fit in these activities as well and also their challenges of risk management.
Banking principles of risk management are divided into three categories of issues and these categories are Board and Management Overseeing, Security Controls, and Legal and Reputational Risk Management Principles. "However, these principles are not weighted by order of preference or importance." (Basel Committee, 2001)
Board and Top Management Overseeing
Top management Committee Should:
Supervise the risks involved in all banking activities.
Analyse and approve main viewpoints of the process of security control.
Principles of Security Controls:
Authentication
Data integrity and transaction integrity
Authorisation
Confidentiality
Maintenance
Legal and Reputational Risk Management Principles:
Banks should provide sufficient information to their customers so that they will always remain updated with new events of banks.
Banks should convince their customers that their private information is secure from others all the times.
Banks should have proper planning for effectiveness and business continuity so that customer will be ensured about availability of the business for long time.
Banks should make plans for reducing the risks from unpredicted events, both external and internal attacks that can harm the banking services.
Risk Management Strategy
Risk management process is divided into two parts: first is; Risk Analysis or Risk Assessment that includes identification of risks, its estimation and evaluation; and second is Risk management that includes "planning, monitoring and controlling activities based on the information derived from risk analysis." (WDC, 2010) For the proper management of information risk and even any risk and its implementation, strategies must be built. Risk Management Strategies are "Defines how risks will be managed during the lifecycle of the programme." (OGC, 2010) Strategy of Risk management and planning must assess the threats and risks for project's success and actions to reduce or totally eliminate risks.
Conclusion
Most of the times, the classification schemes are not perfect. The classification scheme helps to make choices in the beginning but it must be updated time to time when needed. On the contrary, using a single classification scheme for long time and sharing the scheme with other groups helps in comparing the statistics.
When the classification process is applied to the information, the thing that matters more is not the class name, it is that class is described and what information that class contains.
Classification is not a function of only one type of incident. Different groups may have defined the different classes to the same information according to the priorities given to them.
Recommendation
International IRM standards should be used in financial organisations like banks as these provide better quality security to the information. One international standard recommended for information security risk management is ISO/IEC: 27005.
