Insurers have long known that the risks inherent in the continuing expansion of the digital universe need to be reflected in successful enterprise risk management (ERM) efforts.
A new report issued report jointly released by the
“In the cyber world, while nothing is more abundant than data, nothing is more uncertain than the security of that data,” the report, “ERM Best Practices in the Cyber World,” states. “As a result, developing an effective data protection program has become a business necessity for every organization.”
Rather than construct a standalone, technology-focused cyber security program, Carol Fox, director of the strategic and enterprise risk practice at RIMS and one of the authors of the report, suggests organization instead tackle cyber risk through the framework of a broader enterprise risk management culture. “Data risks may hold unrecognized implications for an organization’s strategy, particularly if delegated to a technology function to manage alone,” Fox says. “This report will help executives tap ERM best practices for unifying legal, security, data management and protection, information security, privacy, compliance and audit functions that are needed for a comprehensive data risk approach, while protecting risk assessment report findings.”
The report says organizations must account for the fact that data is dynamic not static and can be in use, in motion and at rest.
“Data protection must be considered through its entire lifecycle, from the creation or intake of the material to its final disposition and disposal,” the report states. “Layered security that provides multiple rings or “perimeters” of protection, early detection of unauthorized access and preferably no single point of failure has become the goal and best practice for data security.
Specifically, the report calls on organizations to craft a high level written information security plan. “Organizations that fail to plan in advance often find themselves scrambling to identify appropriate response options as well as the right resources needed for response, mitigation and recovery from the event. The unprepared organization often pays a steep price when it comes to addressing the event successfully. The first time management starts thinking about the considerations, details and nuances attendant to a breach event should not be when the organization is in the midst of a crisis.”
While this detailed level of planning is essential, a simplified summary of cyber risk management principles is needed to educate the organization at large. “Organizations may be tempted to create large, complicated plans but many times those will only end up relegated to the shelf. Longer does not necessarily equal better. Instead, take a simple, straightforward approach that is realistic and achievable. The key actions and requirements should be defined in understandable terms and flow in a logical manner.”
