The National Institute of Standards and Technology has released a draft of its guidelines for implementing enterprisewide information risk management. The document defines the underlying principles for implementing the Federal Information Security Management Act.
On the heels of Forrester’s GRC Market Overview last month, this week we published my Governance, Risk, And Compliance Predictions: 2011 And Beyond report. Based on our research with GRC vendors, buyers, and users, this paper highlights the aggressive regulatory environment and greater attention to risk management as drivers for change
If there was any doubt about the popularity of electronic dupery, it should be put to rest with a report on global fraud released the week by the risk management consulting firm Kroll. For the first time since 2007, when the company began putting together its annual survey on crime, electronic fraud surpassed physical scams as the most common form of fraud in the world.
I propose that ERM is worth doing and doesn’t have to be so complex if you simply “begin with the end in mind,” as Stephen Covey says in The 7 Habits of Highly Successful Security Leaders. Or would have said if he’d written such a book.
The basis of my thoughts is COSO’s ERM framework (link goes to a PDF of the Executive Summary). Here is the end to keep in mind as you begin your ERM efforts, taken from COSO’s work:
eGestalt has announced the availability of SecureGRC, a solution that provides an end-to-end integration of security monitoring with IT-Governance, Risk Management and Compliance (IT-GRC) management solutions using a cloud-based delivery model.
In particular, the new rules require disclosures in proxy and information statements about:
* The relationship of a company’s compensation policies and practices to risk management.
By now, many of you have read the newly released ISO 31000 Risk management — Principles and guidelines standard. (Others may have seen its release draft or be familiar with its predecessor the AS/NZS 4360 standard.)
It provides a well-written, step-by-step guide to risk management processes that can be applied to whole organizations, or any part thereof. So far, it has received well-deserved praise for its surprising brevity and consolidated value. These are especially important characteristics for a document with as lofty a goal as standardizing what it calls “an integral part of all organizational processes.”
The role of the IT security professional has expanded from securing an enterprise’s information to also managing the associated risk. ISACA has responded by offering the new Information Security and Risk Management Conference, which combines the most timely material from two of ISACA’s well-regarded security-related conferences.
ISACA, a nonprofit association serving 86,000 IT governance professionals, will host the Information Security and Risk Management Conference in Las Vegas, Nevada, USA, on 28-30 September 2009. The all-encompassing event is designed for all levels of IT security professionals.
But in spite of these warnings, my conversations with enterprise risk and IT risk professionals still reveal many disconnects, including that IT risks are not measured consistently with other enterprise risks. In addition, many IT risk professionals do not see their biggest risks showing up on the corporate risk register.
The SANS Institute InfoSec Reading Room recently published an article by Christian J. Moldes entitled PCI DSS and Incident Handling: What is required before, during and after an incident. Moldes’ whitepaper is a good starting point for developing an incident response plan to address payment card security breaches. The paper hits upon the key aspects of payment card security breach handling from an information security professional’s point of view. The paper, however, speaks little of the legal implications of a payment card security breach, and the incident response considerations that arise out of those implications.