Page 1 of 2

5/25/2010 9:55 AM

Citrayudha Komaladi

From: Goh Kheng Leng [gohkl@income.com.sg]Sent: Friday, March 30, 2007 4:52 PMTo: Citrayudha Komaladi; Heng Cheng Chiang Eddie; Ng Sai WeiSubject: 7 dealy sins of information risk management

www.SecurityPark.net The leading News portal for Security Professionals - Copyright 2000-2006

Security News article posted in Security News, IT Network and Computer Security, Knowledgebase , on 15/03/2007 Do not commit the seven deadly sins of information risk management

Information Risk constitutes any possible event that will prevent information from being used as the business intended it to. Successful information management mitigates all information related risks and ensures that information is relevant, consistent and available to support business continuity plans. There is a series of important lessons that all organisations must learn in order to ensure that information risk is appropriately contained so that you dont commit the seven deadly sins of information management: 1. Running the risk of disaster or technical failure All of the IT systems in use across the organisation pose a potential risk to business continuity. Although probably the easiest group of information risks to manage, organisations must ensure that the risks of all system stored information are understood and controlled as part of an overall business continuity strategy. The simplest to manage are transactional systems like SAP that generate records and are subject to operational compliance issues. However attention should also be paid to line of business systems such as loan processing or claims management. These tend to reside within a particular department, are generally process and workflow oriented, and provide their own information and content repositories. 2. Fail to capture all critical information The biggest information risk challenge comes from user controlled content. Research has demonstrated that business users are often driven by delivery pressures and performance controls, which are frequently in conflict with good house-keeping practices needed for compliance policies and business continuity. In addition, user generated content which is typically found on the user desktop or on shared network drives can often be the source of litigation and headlines. It is widely accepted that relying on end-users to manually control and manage critical information, increases information risk significantly. By using process-controlled, automated declaration and classification procedures for capturing records, the onus is taken away from the end-user, maximising the consistency of capture and significantly mitigating information risk. Paper based documents such as correspondence and forms are more difficult to control. These records need to be managed consistently, regardless of the medium on which they reside. The management of paper records should be consistent and compatible with that of electronic records. 3. Accidental removal of information from corporate systems Organisations must invest time in selecting the right storage technologies (e.g. WORM, magnetic, optical, SAN, etc.) in order to design the most appropriate cost effective architecture for records being stored. This will prevent the accidental destruction or loss of information. Different types of records, based on their retention period, could potentially be archived to different medium file stores and records could be dynamically migrated over time from shorter-term to longer-term mediums as the technology progresses, without any risk of accidental loss. 4. Destruction or significant alteration of information Records are a key part of any successful business continuity strategy, but organisations must be able to locate and produce their records with the assurance that they have not been altered, making them inaccurate. Once information has been captured in a records management system access or deletion of records is only

Page 2 of 2

5/25/2010 9:55 AM

possible through the defined and security controlled disposal processes, and all access to records can be monitored though a detailed audit log. In addition, the system provides specific hold or freeze mechanisms which prevent normal disposition schedules from running, for example, when litigation is in progress. 5. Loss of context and metadata information Not only must documents and content be retained and managed securely, so must the context or information used to describe them (metadata) be too. This is especially true in large enterprises where content may be captured through many different systems and sit in different repositories, but is openly available across the organisation through an Enterprise Content Management system. Loss of metadata will result in the inability to share content effectively across the organisation when it sits in disparate systems or repositories. 6. Unauthorised information access Complex organisations require sophisticated security policies to stop access to information by any unauthorised person, whether it is a case of organised crime or an inquisitive employee. Security levels should be defined by user but also by individual record. This ensures the records can only be deleted or transferred based on their defined rules. The user based security allows unique roles to have varying levels of access to records and record metadata. Security privileges for records and record metadata can be separately established for records management teams and the business user population at large. 7. Failure to deal with the explosion of unstructured content An additional and particularly worrying source of risk is the explosive growth of unstructured user-controlled content, such as Emails, Instant Messaging and on-line content such as blogs and videos. Research shows that unstructured content is increasing at a compound annual rate of 92 per cent. Surprisingly, much of it, for example, email, is business critical and poorly managed. Any unstructured user content can provide evidence of business activity and is therefore discoverable in the event of litigation. Lack of scalability in Information systems can result in inconsistent handling of information and hence lack of control and security. Critical unstructured content should be managed within the context of an overall scalable architecture framework that is managed through rigorous high availability and disaster recovery policies. Information is a critical component of every operation and process within your organisation. Carefully assessing your organisation against the information risks discussed above is the first stage in identifying high risk areas, defining monitoring and controls and providing effective risk avoidance practices. Article contributed by George Parapadakis, Governance, Risk & Compliance, IBM FileNet. IBM FileNet will be exhibiting at the Business Continuity Expo and Conference held at EXCEL Docklands from 28th - 29th March 2007 www.businesscontinuityexpo.co.uk

This is a printer friendly version of the article - Go to the www.SecurityPark.net website and see the full article online and all other related articles.