10 myths about_risk_management
TRANSCRIPT
10 COMMON MYTHS ABOUT RISK MANAGEMENT
®
MYTHFACT
vs.
A prevailing myth in business has been that computers and networks are not subject to classic business rules. We have allowed their revolutionary nature to isolate them from the common sense we apply to other business problems. This has made security and compliance both challenging and mystifying.
However, the reality is that digital security and compliance follows age-old regulatory, legal and management concepts. When these are understood and measurable, they become easier to achieve and manage.
MYTH 1: The auditor is the boss. I must �x what auditors tell me is not compliant.
FACT: Information security standards and regulations require that controls address risk appropriately. So auditors should base their �ndings on risk, not to-the-letter compliance. An unlocked door or a simple password is only a weak control if it creates an unacceptable risk. Risk analysis determines the unacceptability of a control, not an auditor.
Since 1993, Executive Order 12866 requires that all regulations must be enforced with a cost-bene�t test, or based on risk. FISMA and NIST standards are designed with this in mind. To read the full executive order, visit the National Archives.
MYTH 2: Security compliance costs more than I can a�ord. FACT: Privacy regulations require reasonable or appropriate safeguards. By de�nition, you must �nd a balance between the risk of a breach, and the burden for securing information and systems. Demonstrate this balance through a risk assessment, and by using safeguards that protect people and data, without breaking the bank in the process.
Regulations and standards that require “reasonable” security controls include:
• HIPAA Security Rule • Gramm Leach Bliley• Massachusetts 201 CMR 17.00 • ISO 27001• NIST 800-53 • FISMA, etc.
Throughout this quick guide we will be pointing out tips on things to do, sites to visit, or blogs to read to help you understand the facts better. Each will be identi�ed by the following symbols:
Website Blog
...
Regulation
MYTH 3: Security is not our main concern because hackers are not interested in us.
FACT: Hackers may not be your main risk. Data breaches are caused more often by internal attacks, accidents and errors than intentional hackers.
Explore the Veris Community Database for an analysis of breaches over the past several years.*
MYTH 4: Policies and security training are a good way to start a security program.FACT: Be careful! If policies and training describe controls and processes that do not exist, they can increase your liability. It is often better to start with high-level policies and instructions, implement the right processes, then �nish o� with speci�c policies and instructions that describe your new controls.
Visit the blog “You Policies Can Hurt You” for more insight.*
Contact
MYTH 5: Gap assessments and risk assessments are the same thing.
FACT: A gap assessment just tells you what security safeguards may be missing. A risk assessment tells you whether your current controls are su�cient. Risk assessments �nd balance between potential harm and your burden to protect information to ensure that your security investments are appropriate.
Visit the blog “We Need a Risk Management Tipping Point” to learn more about the di�erences.*
MYTH 6: “Let’s do what our competitors are doing!” is a good way to plan security investments. FACT: Neither compliance audits, nor lawsuits take a survey of your competitors to see if you are doing what they are doing. After all, your competition may be doing a bad job securing information. Auditors and attorneys must address your risk assessment and yours alone. The better your de�nitions of acceptable risk, the more you control the conversation.
Visit the blog “Using the Hand Rule to Manage the Upper Limits of Security Costs” to understand how much security is enough.*
MYTH 7: The more security we have, the lower our risk.
FACT: Risk heat maps (often a 5x5 matrix) show high risks as red and low risks as green. But did you know that overly restrictive security controls create business risk? A high score of ‘25’ may be “red” because of security risks, and a low score of ‘1’ may also be “red” because of business risk. An acceptable “green” risk is somewhere between these extremes.
Figure out what your organization’s Calculated Acceptable Risk De�nition is. Not sure how to do this? Contact us.*
MYTH 8: If I earn a HIPAA certi�cation, or a SOC 2, then I am compliant with HIPAA. FACT: You may or may not be compliant with the HIPAA Security Rule, but one thing is for sure; the Department of Health and Human Services does not recognize certi�cations as evidence of compliance. They recognize risk management, and reasonable safeguards as compliance.
Read the article from Health and Human Services, “Are we required to ‘certify’ our organization’s compliance with the standards of the Security Rule?” *
MYTH 9: Information security is IT’s problem. FACT: Information security is IT’s problem the way �nancial performance is the accounting department’s problem. Accounting and IT are simply the departments that process an organization’s assets. They do not own the assets. Just as �nancial performance is every executive’s responsibility, securing information assets is also their responsibility.
Check out the blog, “Management Risks are a Certainty” to learn more about organizational accountability. *
MYTH 10: Stronger controls mean better security.
FACT: Actually, where there is a con�ict between getting business done and securing information, business wins every time. Motivated employees will violate security rules to accomplish business objectives. So security controls must be conscientiously designed to support those business objectives. A well-constructed risk assessment will help model safeguards that address both security and business.
Find out how being too cautious with security controls can actually be more harmful to an organization than you may have thought by reading “Overzealous Polices Can Hurt You.” *
®
To learn how to �nd a balance for security spending, review HALOCK’s philosophy on Purpose Driven Security®
MYTH 1: The auditor is the boss. I must �x what auditors tell me is not compliant.
FACT: Information security standards and regulations require that controls address risk appropriately. So auditors should base their �ndings on risk, not to-the-letter compliance. An unlocked door or a simple password is only a weak control if it creates an unacceptable risk. Risk analysis determines the unacceptability of a control, not an auditor.
Since 1993, Executive Order 12866 requires that all regulations must be enforced with a cost-bene�t test, or based on risk. FISMA and NIST standards are designed with this in mind. To read the full executive order, visit the National Archives.
MYTH 2: Security compliance costs more than I can a�ord. FACT: Privacy regulations require reasonable or appropriate safeguards. By de�nition, you must �nd a balance between the risk of a breach, and the burden for securing information and systems. Demonstrate this balance through a risk assessment, and by using safeguards that protect people and data, without breaking the bank in the process.
Regulations and standards that require “reasonable” security controls include:
• HIPAA Security Rule • Gramm Leach Bliley• Massachusetts 201 CMR 17.00 • ISO 27001• NIST 800-53 • FISMA, etc.
MYTH 3: Security is not our main concern because hackers are not interested in us.
FACT: Hackers may not be your main risk. Data breaches are caused more often by internal attacks, accidents and errors than intentional hackers.
Explore the Veris Community Database for an analysis of breaches over the past several years.*
MYTH 4: Policies and security training are a good way to start a security program.FACT: Be careful! If policies and training describe controls and processes that do not exist, they can increase your liability. It is often better to start with high-level policies and instructions, implement the right processes, then �nish o� with speci�c policies and instructions that describe your new controls.
Visit the blog “You Policies Can Hurt You” for more insight.*
MYTH 5: Gap assessments and risk assessments are the same thing.
FACT: A gap assessment just tells you what security safeguards may be missing. A risk assessment tells you whether your current controls are su�cient. Risk assessments �nd balance between potential harm and your burden to protect information to ensure that your security investments are appropriate.
Visit the blog “We Need a Risk Management Tipping Point” to learn more about the di�erences.*
MYTH 6: “Let’s do what our competitors are doing!” is a good way to plan security investments. FACT: Neither compliance audits, nor lawsuits take a survey of your competitors to see if you are doing what they are doing. After all, your competition may be doing a bad job securing information. Auditors and attorneys must address your risk assessment and yours alone. The better your de�nitions of acceptable risk, the more you control the conversation.
Visit the blog “Using the Hand Rule to Manage the Upper Limits of Security Costs” to understand how much security is enough.*
MYTH 7: The more security we have, the lower our risk.
FACT: Risk heat maps (often a 5x5 matrix) show high risks as red and low risks as green. But did you know that overly restrictive security controls create business risk? A high score of ‘25’ may be “red” because of security risks, and a low score of ‘1’ may also be “red” because of business risk. An acceptable “green” risk is somewhere between these extremes.
Figure out what your organization’s Calculated Acceptable Risk De�nition is. Not sure how to do this? Contact us.*
MYTH 8: If I earn a HIPAA certi�cation, or a SOC 2, then I am compliant with HIPAA. FACT: You may or may not be compliant with the HIPAA Security Rule, but one thing is for sure; the Department of Health and Human Services does not recognize certi�cations as evidence of compliance. They recognize risk management, and reasonable safeguards as compliance.
Read the article from Health and Human Services, “Are we required to ‘certify’ our organization’s compliance with the standards of the Security Rule?” *
MYTH 9: Information security is IT’s problem. FACT: Information security is IT’s problem the way �nancial performance is the accounting department’s problem. Accounting and IT are simply the departments that process an organization’s assets. They do not own the assets. Just as �nancial performance is every executive’s responsibility, securing information assets is also their responsibility.
Check out the blog, “Management Risks are a Certainty” to learn more about organizational accountability. *
MYTH 10: Stronger controls mean better security.
FACT: Actually, where there is a con�ict between getting business done and securing information, business wins every time. Motivated employees will violate security rules to accomplish business objectives. So security controls must be conscientiously designed to support those business objectives. A well-constructed risk assessment will help model safeguards that address both security and business.
Find out how being too cautious with security controls can actually be more harmful to an organization than you may have thought by reading “Overzealous Polices Can Hurt You.” *
®
* URL’s for all links are available at the end of the document
“The links are Clickable”
MYTH 1: The auditor is the boss. I must �x what auditors tell me is not compliant.
FACT: Information security standards and regulations require that controls address risk appropriately. So auditors should base their �ndings on risk, not to-the-letter compliance. An unlocked door or a simple password is only a weak control if it creates an unacceptable risk. Risk analysis determines the unacceptability of a control, not an auditor.
Since 1993, Executive Order 12866 requires that all regulations must be enforced with a cost-bene�t test, or based on risk. FISMA and NIST standards are designed with this in mind. To read the full executive order, visit the National Archives.
MYTH 2: Security compliance costs more than I can a�ord. FACT: Privacy regulations require reasonable or appropriate safeguards. By de�nition, you must �nd a balance between the risk of a breach, and the burden for securing information and systems. Demonstrate this balance through a risk assessment, and by using safeguards that protect people and data, without breaking the bank in the process.
Regulations and standards that require “reasonable” security controls include:
• HIPAA Security Rule • Gramm Leach Bliley• Massachusetts 201 CMR 17.00 • ISO 27001• NIST 800-53 • FISMA, etc.
MYTH 3: Security is not our main concern because hackers are not interested in us.
FACT: Hackers may not be your main risk. Data breaches are caused more often by internal attacks, accidents and errors than intentional hackers.
Explore the Veris Community Database for an analysis of breaches over the past several years.*
MYTH 4: Policies and security training are a good way to start a security program.FACT: Be careful! If policies and training describe controls and processes that do not exist, they can increase your liability. It is often better to start with high-level policies and instructions, implement the right processes, then �nish o� with speci�c policies and instructions that describe your new controls.
Visit the blog “You Policies Can Hurt You” for more insight.*
ABOUT HALOCK
Founded in 1996, HALOCK Security Labs is a hybrid cyber-security �rm with strengths in both management consulting and technical consulting. HALOCK's philosophy of Purpose Driven Security® focuses on de�ning and implementing just the right amount of security — not too much, not too little — customized to each client's business purpose. HALOCK's services include: Security Risk Management, Governance and Compliance, Penetration Testing, Incident Response Planning, Incident Response & Forensics, Security Organization Development, Advanced Threat Diagnostics, and Engineering Security Product Solutions. Contact HALOCK or visit us at www.halock.com
MYTH 5: Gap assessments and risk assessments are the same thing.
FACT: A gap assessment just tells you what security safeguards may be missing. A risk assessment tells you whether your current controls are su�cient. Risk assessments �nd balance between potential harm and your burden to protect information to ensure that your security investments are appropriate.
Visit the blog “We Need a Risk Management Tipping Point” to learn more about the di�erences.*
MYTH 6: “Let’s do what our competitors are doing!” is a good way to plan security investments. FACT: Neither compliance audits, nor lawsuits take a survey of your competitors to see if you are doing what they are doing. After all, your competition may be doing a bad job securing information. Auditors and attorneys must address your risk assessment and yours alone. The better your de�nitions of acceptable risk, the more you control the conversation.
Visit the blog “Using the Hand Rule to Manage the Upper Limits of Security Costs” to understand how much security is enough.*
MYTH 7: The more security we have, the lower our risk.
FACT: Risk heat maps (often a 5x5 matrix) show high risks as red and low risks as green. But did you know that overly restrictive security controls create business risk? A high score of ‘25’ may be “red” because of security risks, and a low score of ‘1’ may also be “red” because of business risk. An acceptable “green” risk is somewhere between these extremes.
Figure out what your organization’s Calculated Acceptable Risk De�nition is. Not sure how to do this? Contact us.*
MYTH 8: If I earn a HIPAA certi�cation, or a SOC 2, then I am compliant with HIPAA. FACT: You may or may not be compliant with the HIPAA Security Rule, but one thing is for sure; the Department of Health and Human Services does not recognize certi�cations as evidence of compliance. They recognize risk management, and reasonable safeguards as compliance.
Read the article from Health and Human Services, “Are we required to ‘certify’ our organization’s compliance with the standards of the Security Rule?” *
MYTH 9: Information security is IT’s problem. FACT: Information security is IT’s problem the way �nancial performance is the accounting department’s problem. Accounting and IT are simply the departments that process an organization’s assets. They do not own the assets. Just as �nancial performance is every executive’s responsibility, securing information assets is also their responsibility.
Check out the blog, “Management Risks are a Certainty” to learn more about organizational accountability. *
MYTH 10: Stronger controls mean better security.
FACT: Actually, where there is a con�ict between getting business done and securing information, business wins every time. Motivated employees will violate security rules to accomplish business objectives. So security controls must be conscientiously designed to support those business objectives. A well-constructed risk assessment will help model safeguards that address both security and business.
Find out how being too cautious with security controls can actually be more harmful to an organization than you may have thought by reading “Overzealous Polices Can Hurt You.” *
®
* URL’s for all links are available at the end of the document
®
REFERENCED LINKS & FURTHER READING:
MYTH 1: To read the full executive order, visit the National Archives.
MYTH 2: To learn how to �nd a balance for security spending, review HALOCK’s philosophy on Purpose Driven Security®
MYTH 3: Explore the Veris Community Database for an analysis of breaches over the past several years.
MYTH 4: Visit the blog “You Policies Can Hurt You” for more insight.
MYTH 5: Visit the blog “We Need a Risk Management Tipping Point” to learn more about the di�erences.
MYTH 6: Visit the blog “Using the Hand Rule to Manage the Upper Limits of Security Costs” to understand how much security is enough.
MYTH 7: Figure out what your organization’s Calculated Acceptable Risk De�nition is. Not sure how to do this? Contact us.
MYTH 8: Read the article from Health and Human Services, “Are we required to ‘certify’ our organization’s compliance with the standards of the Security Rule?”
MYTH 9: Check out the blog, “Management Risks are a Certainty” to learn more about organizational accountability.
MYTH 10 : Find out how being too cautious with security controls can actually be more harmful to an organization than you
http://go.halock.com/myth-veris
http://go.halock.com/myth-archives
http://go.halock.com/myth-pds
http://go.halock.com/myth-policies1
http://go.halock.com/myth-tipping-point
http://go.halock.com/myth-hand-rule
http://go.halock.com/myth-contact
http://go.halock.com/myth-security-rule
http://go.halock.com/myth-management-risk
http://go.halock.com/myth-policies2