information risk management january 2013 lisa ho, it policy manager paul rivers, system and network...
TRANSCRIPT
Information Risk ManagementJanuary 2013
Lisa Ho, IT Policy ManagerPaul Rivers, System and Network
Security
Today’s Goals
Broad outline of Information Risk ManagementKey concepts, current work, future directions
Highlight topics for future work
Solicit feedback
A cultivated landscape
A multi-faceted Information Risk Management Program focused on achieving a campus environment where information security and privacy are fundamental elements of information management practices. The program shall include campus policy, resources, processes and services to create a landscape that supports systematic and consistent deployment and maintenance of secure and privacy-protecting campus information systems.
RiskInformation risk at UCB to date:- Driven by technical security concerns- Focus primarily on confidentiality
Future information risk domains:- The rest of the CIA triad: Integrity, Availability- Privacy- Accessibility
Technical security is the wrong driver:- At UCB, security has developed bottom-up
- from monitoring the network towards a more comprehensive information security program
- Data stewards must play an active role in setting risk tolerances and information handling requirements
- Broad agreement at a senior leadership level on risk tolerance is required so that expectations of an information risk management program match both funding levels and the directing of campus priorities from the top down
Confidentiality
AvailabilityIntegrity
Roles and Responsibilities
Critical topic, but not today’s focus
Addressed today:- IT Policy- Campus Information Security (SNS)- Data proprietors- System proprietors- Resource custodians
Future discussions:- Audit, Privacy
Managing Risk in Slightly Less Plain Language Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
UCB Information Risk Management Program
OCIO – Dec 5, 2012
Managing Risk in Slightly Less Plain Language Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
UCB Information Risk Management Program
OCIO – Dec 5, 2012
1. Data Classification Standard
New campus standard: https://security.berkeley.edu/data-classification
Tiered by confidentiality risk
From PL 0 (no impact) to PL 3 (extreme impact)- PL 1=Student FERPA data- PL 2=Notice triggering data (PII, PCI, HIPAA, etc)
“Protection level” is a more precise term than the old “restricted data”
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard
How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
2. Minimum Security Standards and Guidelines
UC Berkeley security policies cover a variety of topics: • Departmental security contacts • NAT policy• Electronic Communications Security Standard (future?)• MSSND:
Minimum Security Standards for Networked Devices
• MSSEI: Minimum Security Standards for Electronic Information
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
MSS and Guidelines (2 of 4)MSSND vs MSSEI
MSSND deals with connecting to the campus network
MSSND applies equally to printers, PlayStations, washing machines, microscopes, student laptops, or a home system that connects via the VPN- If a device is connected to the campus network, MSSND applies- Contrast with the ATT WiFi network on campus
MSSEI specifies the minimum set of controls that an information system must implement in order to mitigate confidentiality risk to a level acceptable per campus policy
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
MSS and Guidelines (3 of 4)
Key MSSEI points:- Codifies decisions about risk tolerance- A collection of standards, one per protection level- Based on industry standards (SANS Top 20 Critical Controls)- A campus minimum; other standards may apply- Applies wherever the data is stored, processed or transmitted- Scope very different from MSSND:
3 broad categories of devices- Individual - Privileged- Institutional
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
MSS and Guidelines (4 of 4)Future directions
Extend MSSEI controls and assessments to cloud/vendor environments (both SaaS and IaaS)- Work to begin in Q2 2013- Major concern: consistency between local and external requirements
UC IT Accessibility Policy- An example of a policy that applies to information systems that is not a security requirement
but is related to risk- Current status: Academic Senate review- Requirements would include:
- authority/responsibility, prioritization, - design process, procurement, - training, awareness campaign, - compliance monitoring, evaluation
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
3. Data Registration
Units on campus operate very independently, yet risk is institutional- Data registration is key for resolving this tension
Without registration:- No institutional management of information risk is possible- Offering effective campus-level programs and services is
challenging to impossible
Registration only became a requirement with the new MSSEI in effect July 2013
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
Data Registration (2 of 3)
After every significant breach on campus, data registration is a hot topic:- We know the data is out there,
but often we don’t know where exactly- Breached notice-triggering information systems are often
not registered or mis-registered
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
Data Registration (3 of 3)
Registration is not busywork. Things change as a result:- Incident response timelines- Vulnerability scanning schedules- Additional intrusion detection sensors- Additional analyst time spent analyzing security data related to that system- Packet capture for forensic purposes- Capacity planning and scheduling of more comprehensive security offerings- Additional reporting of relevant security and risk metrics
Goldilocks principle: register the right amount- Failure to register means systems
fly under the radar:- incomplete risk management picture
for campus leadership
- Over-registration wastes campus resources and skews planning efforts
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
4. Campus Programs and Services
Not all (or even most) controls are implemented by SNS - Resource custodians assume most of the responsibility
Some controls can be and are best implemented at a campus level:- More cost effective- Provides capabilities not possible when implemented per-system or per-unit- Better governance, checks and balances (privacy)
SNS programs and services align with the controls specified in our campus security standards
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services
What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
Programs and Services (2 of 2)SNS Program Supports
which MSSEI category?
MSSEI requirement derives from which SANS Top 20 control?
Vulnerability scanning MSSEI 4 SANS 4
Intrusion detection MSSEI 11 SANS 13
Incident response MSSEI 16 SANS 18
Security contact management MSSEI 1 SANS 1
Data registration (RDM) MSSEI 1 SANS 1
Anti-malware software MSSEI 5 SANS 5
Log correlation and analysis –new!
MSSEI 12 SANS 14
Application security testing – new!
MSSEI 6 SANS 6
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services
What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
5. Security Operations and Risk Assessments
Security operations collects metrics and raises issues after systems are in production- Every system reviewed has had significant security issues- All systems would have benefited from an up-front
review- In-house systems could have developed more realistic resourcing plans
and a TCO picture- Purchased systems could have utilized
knowledge of risk presented by the system in vendor negotiations prior to purchase
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
Sec Ops and Risk Assessments (2 of 4)
Goal: table-top assessment of an Information Risk Management Plan for all protection level 1 or higher systems prior to purchase or implementation- Resource constraints limit hands-on assessments to
protection level 2 and 3 systems- Current pilot of this starting with the
Technology Project Office
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
Sec Ops and Risk Assessments (3 of 4)
Possible future discussionAdd a resource requirement to MSSEI so that funding is allocated to maintain the system and address risk as it is identified- To our knowledge, no one includes this as part of the operating costs for
information systems and infrastructure- Compared to industry, as a percentage of IT budget we underspend on security,
and the underspend happens largely here- Unless we address the funding problem head-on,
we will be forever stuck, unable to act on serious risk issues we identify
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
Sec Ops and Risk Assessments (4 of 4)
Risk assessments are required for reasons other than measuring compliance with campus standards- Regulatory compliance: HIPAA, PCI- InCommon Silver certification and CalNet proxy auth- Researchers must attest they meet standards to receive
research data: California Health and Human Services CPHS requirements
Future direction: As stated above, extend assessment methodologiesto cloud and vendor services
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
6. Incident Management and the Exception Process
Incident: detection of non-compliance with a required campus standard- An incident is not a breach- SNS security ticket revamp effort in 2013: make clear required action and
time frameFailure to respond and resolve the incident in the specified time frame will escalate according to campus policy, ultimately resulting in termination of network access for the affected devices or systems
If an incident cannot be resolved in the specified time frame, filing for a Minimum Security Standard Exception is required to avoid escalation
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
Incident Management and the Exception Process (2 of 3)
An exception petition requires several items:1. The specific devices and system in question2. The protection level of the data processed by the devices in question3. What standards are not met4. What alternative steps have been taken to mitigate the risk presented by not
meeting the required standards5. The date by which the devices/system will be brought up to standard
Most applications neglect #4. In some cases, simply accepting the risk may be acceptable, but this is not the default.- Either way, #4 must be explicitly addressed
in the exception request
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
Incident Management and the Exception Process (3 of 3)
Responsibility for evaluating exception requests has floated around the organization.- CISPC chair, IT Policy- Current plan is to move this to Security, with Policy as the first
level of appeal
Future discussionShould the ITLG be a second tier of escalation for registered non-public information systems and other significant cases?
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
7. Metrics and Reporting
Three levels of reporting today:- Monthly security metrics to security contacts- Application security testing results, risk assessments to resource
custodians and proprietors- Annual security reports to campus leadership
Ongoing development of what metrics we collect and how we report it. - This effort is in its infancy- Major reworking of backend systems
has already happened and will continue in order to support this effort
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review How do we both improve the process and respond to changing priorities and threats?
8. Regular Landscape Review
Security standards can and will evolve- Today’s MSSEI recommendations are tomorrow’s
requirements (really!)- Campus security programs will be re-evaluated and adjusted,
added or dropped in response to changing security standards- Threats will evolve and drive our decision to push our view of
risk past just confidentiality- Example: recent DDoS attacks
against libraries
Managing Risk in Slightly Less Plain Language
Managing Risk in Plain Language
Risk Decisions
Data Classification Standard How do we classify data by the (confidentiality) risk it presents?
Minimum Security Standards (MSS) and Guidelines
What’s required to protect data for each risk level?
Security Planning
Data Registration Where on campus are the systems that deal with these different levels of data?
Campus Programs and Services What campus-wide programs and services can we implement to help maintainers of these systems meet protection requirements?
Security Execution
Security Operations and Risk Assessments
How well, in fact, have the protection requirements been implemented in these systems?
Incident Management and the Exception Process
What do we do when the requirements are not met?
Feedback Loops
Metrics and Reporting How does the institution track how well risk is being managed?
Regular Landscape Review
How do we both improve the process and respond to changing priorities and threats?
Conclusion
If you remember six things from this, let them be these six:1. It’s “data protection levels” not “restricted data”2. Data stewards set risk tolerances; MSSEI sets protections to
meet these tolerances (everywhere!)3. MSSND is about connecting to the network; MSSEI is about
protecting campus information assets4. Registration is a critical step in the risk management effort5. Security programs and services are aligned with our security
standards6. Information risk management must be built into the process
from the start, and include the planning and budgeting stages