A new report issued report jointly released by the Risk and Insurance Management Society Inc. (RIMS), Identity Theft 911 and USLAW NETWORK says that with an estimated 1.8 zettabytes of information created and stored in 2011 alone, there has never been a more opportune time for an organization to assess and update data risk management practices.
“In the cyber world, while nothing is more abundant than data, nothing is more uncertain than the security of that data,” the report, “ERM Best Practices in the Cyber World,” states. “As a result, developing an effective data protection program has become a business necessity for every organization.”
Rather than construct a standalone, technology-focused cyber security program, Carol Fox, director of the strategic and enterprise risk practice at RIMS and one of the authors of the report, suggests organization instead tackle cyber risk through the framework of a broader enterprise risk management culture.
“Data risks may hold unrecognized implications for an organization’s strategy, particularly if delegated to a technology function to manage alone,” Fox says. “This report will help executives tap ERM best practices for unifying legal, security, data management and protection, information security, privacy, compliance and audit functions that are needed for a comprehensive data risk approach, while protecting risk assessment report findings.”
The report says organizations must account for the fact that data is dynamic not static and can be in use, in motion and at rest.
“Data protection must be considered through its entire lifecycle, from the creation or intake of the material to its final disposition and disposal,” the report states. “Layered security that provides multiple rings or “perimeters” of protection, early detection of unauthorized access and preferably no single point of failure has become the goal and best practice for data security.
Specifically, the report calls on organizations to craft a high level written information security plan. “Organizations that fail to plan in advance often find themselves scrambling to identify appropriate response options as well as the right resources needed for response, mitigation and recovery from the event. The unprepared organization often pays a steep price when it comes to addressing the event successfully. The first time management starts thinking about the considerations, details and nuances attendant to a breach event should not be when the organization is in the midst of a crisis.”
While this detailed level of planning is essential, a simplified summary of cyber risk management principles is needed to educate the organization at large. “Organizations may be tempted to create large, complicated plans but many times those will only end up relegated to the shelf. Longer does not necessarily equal better. Instead, take a simple, straightforward approach that is realistic and achievable. The key actions and requirements should be defined in understandable terms and flow in a logical manner.”
This story originally appeared at Insurance Networking News.
Bill Kenealy is a senior editor at Insurance Networking.
