10
Targeting Risk in Information Governance A GUIDE TO RECOGNIZING AND MITIGATING RISK IN YOUR ELECTRONICALLY STORED INFORMATION ®
Targeting Risk in Information GovernanceA GUIDE TO RECOGNIZING AND MITIGATING RISK IN YOUR ELECTRONICALLY STORED INFORMATION
®
| 1®
What is Risk?There are numerous documented standards and protocols which define organizational exposure to operational, financial, physical or legal dangers. These threats include a myriad of situations from criminal attacks to corporate misconduct and natural disasters.
One dictionary describes risk as ‘a situation involving exposure to danger’.2 Another has it as a ‘probability or threat of damage, injury, liability, loss, or … other negative occurrence … caused by external or internal vulnerabilities … that may be avoided through preemptive action’.3 According to the standards for ISO 3100 (Risk Management), risk is the ‘effect of uncertainty on objectives’.4 Even without these definitions it is well known that Information Technology is a target area with multiple lines of peril, and thus is ripe for risk.
Data SecurityThe biggest area of concern for IT departments may well be protecting the information assets of the organization. The implementation of well tested methods is essential to prevent loss of critical material and ensure that key resources are not pilfered, mislaid or misused. Procedures also need to be in place (and audited) to prevent or mitigate malicious intrusion, data leakage and other cybercrimes. Equally important is the protection of privacy. Many regulations mandate data security to ensure compliance in safeguarding confidential information and preventing illegality. Outside of regulatory requirements, organizations use various protection options to foil criminality, thwart misconduct and prevent inadvertent mishaps from affecting vital systems or records.
The framework for the Casualty Actuarial Society5 breaks down enterprise risk into specific categories, including:
h Hazard: Includes things like property damage, theft or liability claims
h Financial: Focuses on asset volatility, credit defaults and inflation
h Operational: Covers aspects such as supply chain interruptions, safety and product failures
h Strategic: Applies to reputational damage, talent poaching, technological innovation disruptions and regulatory trends
Sony. EBay. The Internal Revenue Service. These well-known names have topped the news in recent years,1 singled out as cautionary tales after falling victim to infamous cyber-attacks. Information Technology professionals take more than a salacious interest in these headlines. IT success depends on securing organizations from all types of digital menaces, while neutralizing other dangers encountered while working with today’s interconnected systems. Innovations that allow the creation and sharing of electronic resources at unprecedented volumes also introduce unprecedented challenges at unprecedented rates.
Information governance (IG) strategies are deployed to manage and protect digital assets from creation through disposal. Risk Management plays a key role in fulfilling these objectives by highlighting weaknesses, verifying regulatory compliance and implementing solutions. This first section of our Targeting Risk in Information Governance white paper aims to help IT professionals understand the potential risk factors in their organizations.
Section 1: Recognizing Risk
| 2®
Hacktivists: Activists who access, steal and disseminate confidential data
State-Sponsored: Elite teams that work to further goals of nations or quasi-state organizations
Organized Crime:Illegal groups that work mostly for
economic gain
Single Actors:Individuals that infiltrate organizations
to fulfil personal goals
Theft of assets and/or leaking of confidential information
Outside access to key infrastructure and data
Brand distortion and reputational harm
Operational disruptions and/or damage to critical infrastructure
Economic gain by selling of personal information, extortion, use of pirated
materials
Disruption or attacks for revenge or notoriety (e.g. Sony hack)
Increase awareness, ruin reputations or promote chaos (e.g. WikiLeaks)
Competitive advantage by insider trading and acquisition of proprietary
information
PerPetrators objectives consequences
The elemenTs of Cyber Crime 6
PCI/PIIDespite the focus on strong data security to secure confidential records, heinous breaches still occur because critical information is leaked, stolen or misplaced. High profile targets include systems that fall under Payment Card Industry (PCI) and Personally Identifiable Information (PII) data standards. PCI data, most recognized as ‘credit card numbers’, is under the aegis of the Data Security Standards promulgated by a council of global payment brands (Visa, American Express, etc.). PII data includes such things as social security numbers (U.S.), social insurance numbers (Canada), date of birth, personal health information, and other electronic records that can uniquely identify individuals.
Various privacy laws and industry regulations focus on the handling of PII and PCI. They are designed to deter data theft and encourage the safe handling of critical records. Best practices focus on data in storage (e.g. on file shares or email servers), and data in transit. This advice can be broken down into several key points:
• Securing corporate networks against intrusion
• Create practical policies minimizing usage of vital records
• Avoiding transmission or storage of data in plain text
• Educate employees on proper handling of critical data
• Audit policy and process to ensure continual effectiveness
Implementing these best practices provides a good foundation to secure data while compiling with industry regulations.
| 3®
Regulatory ComplianceMany organizations, such as those that fall under legislation outlined by Sarbanes Oxley (SOX), HIPAA, Gramm-Leach-Bliley and others, need to perform scheduled reviews and respond to regulatory requests to fulfill their legally mandated obligations. Public entities are not immune from these concerns. On the federal, state and local level, the Freedom of Information Act (FOIA) and other ‘Open Records’ or ‘Sunshine’ laws require governments, schools and other community organizations to produce records requested by citizens. Without having the tools or plans in place to respond to requests, normal business processes may be interrupted and response times delayed. This could lead to fines, sanctions or loss of funding.
EDiscoveryRisk shows a different face in electronic data discovery. The search and collection of electronically stored information (ESI) often requires significant attention from the IT department regardless if the data is required for legal, security or regulatory purposes. Whether answering subpoenas, developing proactive response plans or deploying in-house talent to react to urgent requests, eDiscovery can prove overwhelming for an underprepared staff. The dangers inherent with poorly executed eDiscovery cannot be overstated.
Organizations are liable for the data that is created and stored in their systems. Many aspects of litigation are dictated by the Federal Rules of Civil Procedure (FRCP). An essential requirement of the FRCP is to prevent the spoliation (destruction or modification) of data relevant to ongoing legal matters. Litigation Holds are needed in order to follow the requirements to preserve data; the penalties for failure can be severe, including fines and adverse judgements.
A detailed eDiscovery plan should be designed to neutralize problem areas while streamlining the costs, resources and time associated with legal action. Good planning can also benefit internal investigations or incident response. Typically, these actions need to be performed quickly to maintain security while preventing data loss, fraud and other impediments to corporate wellbeing.
Policy EnforcementCompliance and eDiscovery are aided by effective policies to form the basis of a sound Information Governance (IG) strategy. Typically, these plans govern wide-ranging areas including data access, internet use, disaster recovery and ‘bring your own device’ (BYOD). Policy should also cover the regulation of corporate communications (Facebook, Twitter) and data storage (local and cloud).
Effective policy will also prevent disorganization from threatening the security of critical systems. Policy enforcement can be combined with electronic records management to prevent redundant, outdated and trivial (ROT) information from clogging up servers and bogging down business processes. Without procedures in place, key data becomes more difficult to locate and malicious actors more difficult to detect. The retention and disposition of critical records should be based on clear
FRCP Rule 37(e) 7
If electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery, the court:1) Upon finding prejudice to another
party from loss of the information, may order measures no greater than necessary to cure the prejudice; or
2) Only upon finding that the party acted with the intent to deprive another party of the information’s use in the litigation may:(a) presume that the lost information
was unfavorable to the party;(b) instruct the jury that it may or
must presume the information was unfavorable to the party; or
(c) dismiss the action or enter a default judgment.
Sherpa Tip:The General Data Protection Regulation (GDPR) is set to become the overriding data protection regulation with the EU. If your organization has international operations in the European Union, you should be planning for GDPR compliance now!
| 4®
metrics defined by organizational value. Additionally, retention policies are needed to form credible defensible deletion arguments that can pass judicial muster during litigation.
Disaster RecoveryPlanning for the continuity of business after a catastrophic event is the bedrock of a risk management strategy. Whether the disaster is caused by natural forces (hurricane, blizzards, flooding), localized incidents (water main break, power spike), or malicious actors (data breaches, virus), the IT infrastructure of an organization is often at the forefront of recovery efforts. Strategies which focus on establishing communication, repairing systems and restoring data will help minimize downtime and operational disruption.
These strategies should be enacted with an eye towards reaching optimal recovery time by recognizing that hardware, software, connectivity and data are all needed for IT to function effectively. If your business applications cannot tolerate downtime, failover providers and geographically distinct redundancy may be in order.
The first section of this white paper focused on defining and recognizing the dangers of data assets exposures to risk. Section two builds on that knowledge by outlining effective plans to neutralize problem areas, anticipate costs and minimize disruptions. It aims to show how proactive action can help to reduce corporate liability by protecting organizations from pressures both internal and external.
A significant challenge for many organizations, and certainly for IT staff, is effectively operating in an environment where regulation, litigation and criminal activity push against established business needs. Not surprisingly, managing these risks can be complicated. There are numerous enterprise risk management (ERM) standards to help define the ideal process. Additionally, diverse organizations of differing sizes, industries, and notoriety all have unique risk profiles. Despite this, most strategies to manage risk can be distilled into three distinct steps: Assess, Reconcile and Monitor.
Section 2: Mitigating Risk
1. Assess the RiskThe risk management process begins by analyzing the level of exposure in your organization and establishing a quantitative value to help objectively prioritize the dangers. An effective assessment will result in an overview of current conditions, a list of factors and a strategic framework for establishing the measurable variables of risk.
This step begins with a team. Members should be drawn from diverse organizational backgrounds, preferably with some experience in risk management. The knowledge of IT professionals is essential in providing a technical perspective with firsthand knowledge of existing systems and software used in the company. In addition, IT representatives can provide forecasts based on the handling of historical incidents (and near misses) while articulating organizational exposure to current or projected threats.
| 5®
Keep in mind that IT should not perform this evaluation in a vacuum. Team members skilled in business analysis are needed to communicate the impact of risk factors on opportunities or established procedures. Legal representation is valuable to provide input from a regulatory or litigation perspective. Department specific experts should also be included to offer practical contributions and feedback. Working together, this team will define risks, outline mitigation factors and assemble a framework for prioritization.
Once a team is in place, the risk assessment begins by establishing the context for the project, then proceeds to identifying the risk factors. The resulting list of potential problem areas must then be measured and quantified so objective decisions can be made for reconciling the risk in your organization.
1.1 ContextAn ideal risk management assessment begins by establishing the framework in which the project will operate. Clearly outlining the responsibilities of the team, establishing the goals for the venture and ensuring commitment from stakeholders will help the process run smoothly. There should be agreement on the standards to follow as well as the methodologies for quantifying the risks and potential losses. Establishing context is essential as this step defines a clear objective and ensures a balanced, measurable outcome with steps that can be reused as needed.
1.2 IdentifyInvestigating, evaluating and documenting current conditions is essential for gaining a thorough understanding of organizational pressures. The end goal of this investigation is to identify a list of problem areas that could ‘expose your organization to danger’ or disrupt business critical processes. Don’t use a generic matrix. Instead, create a unique evaluation tailored to the specific details and challenges of your business. Industry research, interviews of key personnel, review of historical incidents and vulnerability assessments are necessary components in cataloging critical threats.
While IT often focuses on data security and disaster recovery, do not limit the scope of your assessment. Examine regulatory constraints, legal exposure, external pressures, and systemic flaws to create a detailed risk profile. This includes compliance obligations and the ability to meet them, eDiscovery concerns, and liabilities for redundant, outdated or trivial information created or stored using company infrastructure. Remember to focus not just on current threats, but also try to identify potential hazards and how well the company is set up to respond to them. Additionally, the team shouldn’t neglect reaching out to a range of departments to gain a different perspective on dangers that are not generally known to other units.
A critical piece of this identifying task is to highlight any software, strategies, educational programs or other tools and processes that are already in place to control risk. This data will be used to help calculate the impact of risk as part of the quantification step.
| 6®
1.3 QuantifyOnce a matrix has been developed, it needs to be evaluated with an eye towards business impact using objective measures. Ideally, this impact can be quantified for each risk factor based on the prospect of an event occurring and the cost to the company if it does. Probability (or likelihood) can be viewed through a lens of exposure, frequency, or attractiveness of a target. The loss or impact factor should include measures like the cost of solution or remediation. Other quantifiable measures are less obvious. Loss of revenue, decreased productivity, missed opportunity, and system downtime can also add to the loss profile. Additionally, qualitative concerns like safety, damage to reputation or talent migration should play an important part to these calculations.
The end goal of this quantification is to have a clear picture of the nature of the risks affecting the company while providing enough detail to measure and prioritize risk factors. Often these assessments will result in visualizations to help identify trends. One well-known example is a Heat Map which charts the likelihood (or severity) of a risk factor against its impact (or probability). This image can plainly display the highest risk elements to an organization.
As a last matter, quantification needs to include details of existing and available treatment options with the costs incurred therein. This information is critical to help calculate the costs of risk remediation balancing against the cost of responding to an incident.
2. Reconcile the RiskOnce residual risks have been outlined, business impact measured, the probability calculated, and the loss potential quantified from a thorough assessment mentioned in the steps above, organizations need to create a strategy for handling the risk factors. With appropriate feedback and updated information, a suitable authority must analyze a number of elements to first prioritize the appropriate choices for reconciliation. Deciding factors will include the company’s tolerance for risk, budget constraints, and the effects of specific problem areas on an organization’s mission and key performance indicators.
Reducing risk is the primary goal. Typically, this is done by minimizing the likelihood an incident will take place and/or reducing the consequences if it does. Options for a risk response strategy include:
hMitigation: Tools, policies, software, education, incident response planning and other remedies are deployed to counteract the threats and tackle identified or potential risks. Mitigation is used to cushion the consequences of an incident. Good examples include updating disaster recovery plans or establishing redundant data centers to minimize the effects of unplanned outages.
h Transfer: A special kind of mitigation technique where the source of the risk is removed or the consequences shared. For example, a threat could be mitigated by moving it to a third party or by investing in insurance.
Example Heat Map 8
IMPACT
LIKLIHOOD
| 7®
h Acceptance: If conditional factors such as cost-benefit analysis work in favor of tolerating an implied risk rather than expend time, money and staff to diminish it, an organization may make an informed choice to accept or even increase a risk factor. This is especially true if there is low probability of an incident occurring, if profit opportunity significantly outweighs the danger, or if the cost of mitigation is greater than the cost of tolerating the risk.
h Avoidance: When a risk becomes too chancy, an organization may choose to bypass the risk entirely or decrease the likelihood that it will happen. This could be achieved by canceling projects, rewriting procedures or discontinuing ventures that give rise to excessive risks.
Once the decision is made on how to handle specific risks, the plan should be documented, the response strategy defined and practical tools or policies should be implemented.
Some controls may alleviate multiple threats (e.g. encryption) while some risk factors will require more than one control. For example, changes to internet usage policies often require preventive measures (web site blocks), documentation updates (HR manuals) and user training (employee orientation).
The response plan can contain both proactive and reactive elements. Some could be addressed by handling incidents as they occur using a predefined procedure. Other units may be tasked with implementing measures to prevent incidents before they have a chance to affect multiple departments. Efforts can be deployed company wide, or tailored to a department or functional group.
Attempting to design and deploy risk remediation across an entire organization at one time is a ticket to chaos. Instead, it is essential to prioritize the risk factors based on the objective quantifications (as outlined in previous steps) to have the best chance of success. Highly regulated and critical systems are usually given priority and a timetable should be established for mitigating less immediate concerns.
3. Proactive MonitoringAs technology marches forward, so to do the risk factors associated with it. Data is constantly created, modified and deleted. Regulations are added or altered, new software and services are introduced, organizations morph and change. Therefore, the final step in a risk management process is one of the most important ones – continual auditing of the risk strategy in your organization.
At a scheduled time, monthly, quarterly - no more than yearly, the risk assessment team should meet and share knowledge. Internal progress should be measured and assessed by updating data visualizations. Policies should be monitored for their effectiveness. New threats should be discussed and any unintended consequences of remediation steps should be analyzed. Legal has a responsibility to keep up to date on changes to the regulatory environment and new legislation. Business experts should chime in on proposed changes like new markets, mergers or outsourcing initiatives.
Defensible deletion of information is proven to be an effective part of risk mitigation. However, only 39% of organizations responding to a recent Sherpa survey currently have a policy in place.
Yes39%
No37%
Unsure24%
0% 5% 10% 15% 20% 25% 30% 35%
Unsure
Not at all
Partially
Fully 26%
30%
13%
31%
If so, is your organization compliant with your policy?
Does your organization have a defensible deletion policy in place?
| 8®
One of the major benefits of a fully implemented risk management strategy is that it becomes easier to address risk control as a part of planning. Instead of responding last minute in an ad hoc manner, projects can be designed from the ground up to include security or regulatory compliance. Resources can be allocated to those proactive steps as part of the initial scope.
Education and stake holder involvement should be continual. Equip the right people to analyze progress, report difficulties and keep an eye on emerging threats. Compliance software should be kept updated and audits should be run regularly. It is imperative that IT, in particular, keeps track of specialized news and trends that may affect the security of your organization. This will help maintain stability in your company for years to come.
ConclusionToday’s compliance, litigation and regulation heavy business environments introduce a number of challenges for busy professionals. Incorporating enterprise risk management as part of a solid Information Governance platform helps organizations of any size safeguard their information and avoid dangers of data breaches, policy lapses and non-compliance. Taking proactive steps today can help you avoid becoming tomorrow’s headlines.
About Sherpa SoftwareSherpa Software, a leading provider of technology-driven information governance solutions, has helped more than 4,000 companies worldwide. Sherpa’s award-winning solutions address information management, regulatory compliance, data retention, defensible deletion, remediating PCI/PII data, eDiscovery, PST management, and more. Sherpa Altitude IG, Sherpa Software’s signature information governance platform leaves your data in-place and offers robust analytics and metrics, allowing you to reduce data volumes and mitigate the risk of critical information before and when litigation arises.
®
| 9®
Additional Resources• ISO 3100: Risk Management• NIST Computer Security Center• PCI Security Standards• Sherpa Software Introduction to PCI / PII• Digital Guardian: Expert Discussion on Overlooked Factors in Info Sec Planning• ERM Initiative: Raising awareness of Cybersecurity Risks• Electronic Discovery And Information Governance Reference Models• Cyber Crisis Management: A New Philosophy and Approach to Incident Response• Sherpa Software: Demystifying Defensible Deletion• Tech Target: Risk Management and Compliance• Perdue University Enterprise Risk Management• Risky Thinking• Understanding the General Data Protection Regulation
Sources
1. Selected losses greater than 30,000 records (July 2016) “World’s Biggest Data Breaches” (Webpage). Information is Beautiful. Retrieved 2016-07-31.
2. Definition of risk in English. “Risk” (Webpage). Oxford Dictionaries. Retrieved 2016-07-31. 3. Risk definitions “Risk” (Webpage). Business Dictionary. Retrieved 2016-07-31.4. Risk Management Vocabulary (2009). “Terms Related to Risk” (Webpage). International Standards Organization.
Retrieved 2016-07-31.5. Enterprise Risk Management Committee (May 2003). “Overview of Enterprise Risk Management” (PDF).
Casualty Actuarial Society: 9–10. Retrieved 2016-07-31.6. Enterprise Risk Management Initiative (2011). “Cyber Crisis Management: A New Philosophy and Approach to
Incident Response” (Webpage). ERM Initiative Faculty. Retrieved 2016-07-31.7. Legal Information Institute “Rule 37. Failure to Make Disclosures or to Cooperate in Discovery; Sanctions”
(Webpage). Cornell University Law School. Retrieved 2017-05-05.8. Enterprise Risk Management Quantification “Heat Map of Results” (Image). Perdue University. Retrieved 2016-
07-31.
Under the copyright laws, neither the documentation nor the software can be copied, photocopied, reproduced, translated, or reduced to any electronic medium of machine-readable form, in whole or in part, without the written consent of Sherpa Software Partners, except in the manner described in the software agreement.
© Copyright 2017 Everest Software, L.P., d.b.a. Sherpa Software Partners, L.P. All rights reserved. Printed in the United States.
Meet the AuthorMarta Farensbach, Director of Product ServicesMarta contributes to the development and growth of Sherpa’s products and platforms and is responsible for ensuring customer satisfaction. Since joining Sherpa in 2003, she has done extensive research on eDiscovery while expanding her expertise in litigation preparedness, compliance and content management.
Prior to joining Sherpa Software, Marta oversaw the management of the information technology department for a leading logistics firm. During her tenure, Marta was instrumental in increasing profitability and efficiency of real-time data inventory reporting, while guiding the deployment of a number of web-based applications.
Marta received her Bachelor of Arts degree from Pennsylvania State University. She enjoys Sherpa’s teambuilding activities and is a founding member of the Sherpa Movie Club. She has a zest for travel and takes great pleasure in soaking up culture, scenic beauty and adventures wherever they can be found.
