For example in a health care provider particular emphasis will be placed on meeting the requirements of the DPA, HIPPA or Caldecott Guardian principles whereas in financial organisations compliance with the DPA, FCA and PCI requirements would take precedence. In this particular organisation, the requirements of the DPA and the need for protection of business assets are the primary driver for governance. Building regulations are also a driver for good governance but are outside the scope of this report. Most risk assessments I have seen use a multiplying methodology to arrive at a risk level. For example, the New York Police Department [ CITATION Cou15 \l 2057 ] use this approach. This is like multiplying oranges by apples and pears to get animals. In his paper Jeff Lowder[ CITATION Why10 \l 2057 ] exposes the fact that we have no unit of measurement for these measures. In my opinion, we do not have a mechanism for normalising the ranges of these. We have to consider then what the reason for the risk assessment is and can it be used for that purpose? My view is the report is to provide a reasoned understanding to the business management team of the risks and appropriate countermeasures that can be taken so they can justify the spend on doing so. We want to guide them to a conclusion that supports the business objectives. By using our experience and judgement in evaluating the risks, impacts and consequences to generate the risk assessment and treatment plan, we can help the business to make those decisions intelligently and whilst an arithmetic logic may be “nonsense”, it can and is often used as the optimal way to help management make these decisions as they can see a logic behind them. I’ve not had time to research moving to a “Risk = Function (Threats, Vulnerabilities, Impacts)” approach but would like the opportunity to explore this option. Treatment strategies by size of company Treatments could be influenced by the size of company and whilst some may see it as unethical, often the treatments may be the most practical when the realised risk is too great. Size of company Ultimate risk strategy Small < 1,000 employees Phoenix strategy Medium < 10,000 employees Legal defence strategy Large > 10,000 employees / Government Self-insure Rather than implement strong controls, companies that have developed these strategies have worked out that it is more economical to take these approaches. Given that the purpose of any
business is to generate profit, this may be the best option for that company. A more ethically conscious company is more likely to decide to place greater emphasis on protecting their information assets and therefore the longevity of the business, increasing staff confidence in the preservation of their jobs at the expense of some of the companies’ profits. This is a better strategy for a company whose vision is to be long lasting and carry a higher ethical standard. The Co-Operative group[ CITATION The \l 2057 ] is one such organisation who aspires to good corporate social
Want to read all 38 pages?
You've reached the end of your free preview.
Want to read all 38 pages?
- Winter '15
- Ray Browne
- Information Security, .........