Print
Discuss
Send to friend
RSS feedsReducing business risk has long been the remit of operational risk professionals, who are, according to the 1999 Bank of International Settlements Basel Committee, responsible for 'the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events'.
Control of information confidentiality, integrity and availability, on the other hand, fell into the lap of the IT department.
As a result of a regulatory-inspired revolution and a renewed focus on business continuity, these previously separate jobs have begun to overlap.
Naturally, operational risk professionals believe they are the experts in this area, while information security experts think operational risk people lack understanding of information security risk. Yet both are trying to manage the same area.
Operational risk professionals need to wake up to the fact that IT professionals are vital in the process of information flow and audit.
At the same time, the IT department needs to know a bit more about the business impact associated with the assets for which it is responsible.
Preserving the confidentiality, integrity and availability of information must involve people, processes and systems. Detailed, specific information must be seen as fundamental to any business.
If you cannot trust the confidentiality and integrity of that information, you cannot guarantee you will complete the job, and if the information is not available, you cannot even begin it.
In the newly regulated world, these two levels of understanding must combine to ensure business continuity.
The problem is that operational risk specialists spend their professional lives thinking about consequences and costs of the business, but are unlikely to consider the failure of the data on which we depend.
Information security, on the other hand, has struggled to meaningfully quantify business risk, yet is familiar with networks, electronic threats and vulnerabilities.
Information must flow from operational security controls to managerial and strategic planning, and vice versa.
Operational controls cannot be effective unless they are sensitised to what is strategically important to the business, nor can strategic controls be effective if they do not have a baseline derived from day-to-day information.
There are five levels of control for information security risk in a business.
Information security generally operates at levels one and two - operational security and awareness; and vulnerabilities, incident alerts and compliance.
Operational risk works at levels four and five - business risk and impact analysis; and managerial and strategic planning.
Failures at level three - critical asset protection and forensics - commonly occur because no group has clear responsibility.
And while very few businesses have clearly identified all their critical information assets, still fewer understand what is needed to protect their availability, or to identify breaches in confidentiality or integrity.
Any break in the control chain will result in complete or partial failure to transfer information, which must affect the ability of the business to control its information security, and thus its operational risk.
So if businesses are not implementing level three controls effectively, they must be on course for failure to meet regulatory demands.
Specialists in operational risk and information security must agree to a mutual support contract. Operational risk needs to know more about the threats to vital networked assets, and information security needs to understand more about how to determine the importance of the assets for which it is responsible.
Jeremy Ward is senior consultant at Symantec and sits on the UK Government/Industry Forum on Encryption and Law Enforcement and the CBI's Web Security Working Group.
del.icio.us
Digg this
reddit!
