zoomlens - loveland, subramanian -tackling info risk
TRANSCRIPT
zoom
Tackling Information Risk
Your greatest asset could be your greatest risk
The concept of “he who holds the information, holds the power”today, with exploding volumes of stored“cloud”, smartphones, tablet PCproliferation of “professional” hholds information, holds the risk.”
Yet, most companies don’t act to minimize theirresulting in extraordinary and dioften, inadequate resultsCorrupt Practices Act investbreach and most willevents before they haManagement (“IRM”
Why don’t more companies think about how to manit often take a crisiswhy data is stored and who has access toBut like any good business prob
Too much datcreated will surpass 1.8 zettabyyears ago! With sof the types of dait exists, ho
One-size fits all approach:data security with a oneChief Information Security Offiwe keep people outinformation we kdata (e.g. Medical Records) from low risk
Highlights:
x Most companies don’tunderstand the risks posedby their information until it'stoo late
x Competitors, hactivists,regulators, and opposingcounsel see great value ininformation stores and canwreak organizational havocin their attempt to uncover it
x Key challenges lie inbalancing the desire for datacontrol with the need foraccess and apportioninggreater spending to higherrisk data source
x A simple framework canallow organizations to betteridentify and understandtheir riskiest data andprioritize finite IT, securityand other spending
zoomlens
Tackling Information Risk
Your greatest asset could be your greatest risk
The concept of “he who holds the information, holds the power”today, with exploding volumes of stored data, increasingly distributed“cloud”, smartphones, tablet PCs, etc.), heightened regulatory scrutiny and theproliferation of “professional” hacking groups, the corollary is equally true: “he whoholds information, holds the risk.”
Yet, most companies don’t act to minimize their information risk until they’reresulting in extraordinary and disproportional costs—both directoften, inadequate results. Ask any company who has faced a pressureCorrupt Practices Act investigation, high-stakes litigation or major information securitybreach and most will say that they wished that they had done more to prepare for theseevents before they happened. Increasingly, the task of tacking Information RiskManagement (“IRM”) and the crises that result is falling to the general counsel’s office.
Why don’t more companies think about how to manage their information risk? Whyit often take a crisis event before a company even begins to think about how,why data is stored and who has access to it? The short answer is simple:But like any good business problem, it can be broken down to a
Too much data: A recent study estimated that in 2011, the amount ofcreated will surpass 1.8 zettabytes (1.8 trillion gigabytes), 9 times the rate of just 5years ago! With so much information growth, many organizations are often unawareof the types of data that they have within their infrastructure. If they don’t know thatit exists, how can they assess its risks and secure it?
size fits all approach:Many organizations pair a onedata security with a one-size fits all approach to IRM. Even with theChief Information Security Officer position, the focus remainswe keep people out of our network not on how do we rationalize and optimize theinformation we keep and how do we differentiate between how we manage high riskdata (e.g. Medical Records) from low risk data (e.g. office dress code).
lens September 2011
Your greatest asset could be your greatest risk
The concept of “he who holds the information, holds the power” is well-understood. Butdata, increasingly distributed computing (the
scrutiny and theequally true: “he who
information risk until they’re forced to,both direct and indirect—and,
pressure-filled Foreignor major information security
had done more to prepare for thesetask of tacking Information Riskfalling to the general counsel’s office.
age their information risk? Why doeseven begins to think about how, where, and
it? The short answer is simple: it’s really hard.lem, it can be broken down to a handful of key drivers:
ted that in 2011, the amount of informationtimes the rate of just 5
organizations are often unawareinfrastructure. If they don’t know that
ir a one-size fits all approach toch to IRM. Even with the emergence of the
cer position, the focus remains primarily on how dorationalize and optimize theween how we manage high risk
data (e.g. office dress code).
PwC Tackling Information Risk 2
Increased demand for information access:Compounding the problem is that employees nowdemand real-time access to information from whereverthey are, through whichever device they happen to beusing—from smartphones to tablet PCs. While this surelyhas positive affects on worker productivity andcreativity, it complicates the organization’s ability toproperly keep its information protected from inadvertentdisclosure or malicious exploitation.
False sense of security:Whether it be “Hactivists”like WikiLeaks and Anonymous accessing and leakinginformation to send some quasi-political message, orunscrupulous competitors (including nation states),looking for an advantage, there are a myriad of reasonswhy external parties want access to your data. Whileindustries and organizations differ in their risk profiles,none are immune from the risks of hackers, or of theimpact that poor IRM practices can have on a regulatoryreview, or litigation.
As if the above weren’t enough to keep your riskmanagement team up at night, all of this comes, of course,at a time of increasing regulatory scrutiny (e.g., the Dodd-Frank Act) and enforcement actions, global data privacyregulation, and crushing e-discovery requirements. So giventhese factors, what can the general counsel’s office do tomanage these risks?
A Framework for AssessingInformation Risk
While the scale and size of the information risk issues mayseem insurmountable, the following framework foranalyzing information risk can help you get a better handleon the problem and focus your investment moreappropriately. The following are 5 key steps that must beundertaken before risk mitigation plans can be developedand investments can be made.
1. Understand the key types of data that exist withinyour organization
The first step is to develop an understanding of thetypes of data (or data categories) that exist within yourorganization (e.g. operational data, customer andvendor lists, payroll, intellectual property, corporatestrategy documents, etc.). Clearly the focus here oughtto be on data that is sensitive, private or serves animportant business purpose.
2. Understand where the data is stored
For each of the data categories, determine where thedata is currently stored. Data locations could include,for example, internal servers as well as third-party“cloud”-based providers. It should be noted that inmany cases a regulator will still hold an organizationaccountable for the security and protection of its data,even if the storage is outsourced to another vendor. Inaddition, the location of the data impact the risks to anorganization based on the applicable jurisdictional dataprivacy and breach laws.
3. Understand the owners of the data
The next step is to determine who “owns” or hasprimary responsibility for managing and ensuring thequality of the data in question. The data owners will beimportant in helping to manage the risks associatedwith the data.
4. Understand the risks of the data
For each of the data categories, assess the risksassociated with data. When assessing risk, it isimportant to think holistically to include, financial,operational, regulatory, legal and reputational risk.Categorize the overall risk as either High or Low.
5. Understand the user access needs
For each of the data categories, determine the accessneeds. If the data needs to be accessed regularly (e.g.inventory data) or real-time (e.g. tablet-basedoperational reports) then mark the data access needs asHigh. If the data is accessed infrequently then mark thedata access needs as Low.
After the completion of this process, an organizationnow classify its data into four separate categoriesa matrix of risk versus access. Each of the four areas, aresummarized below in descending order of priority:
High Risk—High Access Requirements
Data in the upper right quadrant representsneed for risk management focus investment. Data isnormally sensitive to either customer or internalinformation, and requires access from groups at varlevels of the organization (e.g., patient healthcareinformation at a hospital). Efforts should be made tocentralize and implement controls of this data (e.g.,monitoring of data usage, strong usage policies andprotection/security training, etc).
High Risk—Low Access Requirements
Investments will best succeed in centralizing higherbut less accessed data such as employee HR information(e.g. social security numbers). While the lower level ofuse will naturally yield inherent safeguards, thsensitivity of this information will still require effectivesecurity and controls management.
Low Risk—High Access Requirements
Such data can include, for example, phoneUS based employees. As the data presents little risk tothe organization, but is accessed frequently, lowerof security investments or controls are needed beyondthe organization’s baseline security and data usagestandards.
PwC Tackling Information Risk
After the completion of this process, an organization cannow classify its data into four separate categories by plotting
four areas, arepriority:
Data in the upper right quadrant represents the highestinvestment. Data is
customer or internalaccess from groups at various
organization (e.g., patient healthcareat a hospital). Efforts should be made to
and implement controls of this data (e.g.,monitoring of data usage, strong usage policies and data
Investments will best succeed in centralizing higher risk,HR information
While the lower level ofinherent safeguards, the
information will still require effective
can include, for example, phone directories forpresents little risk tofrequently, lower levels
eeded beyondbaseline security and data usage
Low Risk—Low Access Requirements
This category of data may be best served throughno additional investment beyond thebaseline security and data usagerisk and low access normally is used by a particulargroup, and does not contain sensitive informatthe marketing team’s internal memo tem
While the outline above provides an effectiveassessing the information most at risk,must be considered and addressedprocedures to mitigate the risks described aboveissues will include, but not be limited to, d(especially in some international marequirements (regarding how data is stored and for howlong), the existing IT infrastructure and the company’s ITpersonnel that can implement and oversee theHaving a team that can speak to the regulatory andtechnical issues and solutions is essential to acost effective IRM investment.
Striking a Balance Between Controland Availability
Organizations must strike a careful balance bavailability and ease of access of information whilemaintaining a high level of control to ensure theusage and protections of that information.of data within an organization onlydifficulties faced in managing this
The approach detailed above provides a framework toorganizations to better understand their data,risk rate their data across the risk-prioritize finite IT, security and otherhigh risk data categories.
The problems faced by competing priorities of accesssecurity are not going away, in fact they will onlyOrganizations that are able to effectivelythroughout their enterprise, whilethe security of this information, willcompetitive advantage in the future.
Tackling Information Risk 3
Low Access Requirements
data may be best served through little todditional investment beyond the organization’s
aseline security and data usage standards. Data of lowis used by a particularsensitive information (e.g.,
internal memo template).
While the outline above provides an effective framework forg the information most at risk, many other issues
ust be considered and addressed prior to implementingrisks described above. Such
not be limited to, data privacy lawssome international markets), regulatory
ta is stored and for howastructure and the company’s ITlement and oversee the process.
can speak to the regulatory and ITand solutions is essential to a successful and
Striking a Balance Between Control
trike a careful balance between theof access of information while alsolevel of control to ensure the appropriate
rotections of that information. The proliferationata within an organization only compounds the
aced in managing this balance.
The approach detailed above provides a framework to allowtand their data, appropriately-access matrix, and
e finite IT, security and other resources around key
competing priorities of access andsecurity are not going away, in fact they will only get worse.
ns that are able to effectively share informationwhile maintaining control over
information, will have a significantadvantage in the future.
Contacts
© 2011 PwC. All rights reserved. "PwC" and "PwC US" refer to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, which is a memberfirm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. This document is for general informationpurposes only, and should not be used as a substitute for consultation with professional advisors.
For a deeper discussion please contact:
John Loveland
Managing Director
PwC
(703) 918-1451
Sanjay Subramanian
Director
PwC
(703) 918-1509
BrianWycliff
Principal
PwC
(646) 471-3380
Philip Upton
Principal
PwC
(646) 471-7508
Dyan Decker
Principal
PwC
(213) 217-3347
Eric Matrejek
Managing Director
PwC
(312) 298-5637