How do you defend your organization from the threats within and the threat without when it really counts?
Atos has just successfully provided secure IT services to the broad and diverse population comprising the Olympic and Paralympic family. So discover how Atos’ business technologists are using the Games experience to provide the same new “boundary-less” concept with security and transparency to businesses the world over.
2. Strategic system for 1. Introduction
risk management
Models and growth phases
Then there is the experience that professionals
What is the most appropriate system of data often know to report based on assessment
that there are elements missing in the system
security and risk management for a specific for internal control without having an objective
reference framework. Thus the statement
type of organisation and what is the desired ‘there is a need for a formalised methodology
for risk assessment’ is misplaced for the small
objective? We would like to share our baseline shopkeeper, but more obvious for a multinational
bank. But the question, of course, is what device
requirements with you. is appropriate for the type of organisation.
Further experience is that organisations that are
faced with the need to catch up, for example, by
a sudden drastic escalation in external demands
for compliance, often desperately aim for this
new level without regard for the way to it. This
leads to loss of support within the organisation
and, at best, the mechanistic implementation
of misunderstood procedures. The comparison
with the high jumper is easy: if ‘the bar’ started at
1 metre, and the new target is 2 metres, it is better
to achieve this goal by gradually going up from
the ‘1 metre’ situation and not immediately set
the bar at 2 metres.
The structure of my article is as follows.
Section 2 outlines developments in the
concept of risk and control over recent
decades. Section 3 goes into the models and
growth phases in data security and risk
management. Our closing remarks are
included in Section 4.
Dr. Abbas Shahim RE
Dr. Abbas Shahim RE is a partner at Atos
Consulting where he is in charge of practice
in the area of IT risk management. He is also
Using simple models, we outline the route to the desired objectives and the desired growth based
associate professor and director of studies at the
on a phased, natural growth path. This article is written against the background of a number of
Free University and vice chairman of ISACA in
experiences with which the reader is probably familiar. First and foremost, it appears to us that the
the Netherlands.
‘board’ is going to make constantly higher demands for demonstrable compliance. That is a logical
consequence of the changing legislation and regulations in this area. But the term ‘compliance’ is not
really complete if no accepted reference framework is given. Following on from this we have noted
that the board requires a reference framework in order also to be able to communicate externally
over the system of control measures and their operation.
Strategic system for risk management – Models and growth phases 3
3. 2. Strategy for risk management:
developments in the concept
Today, risk management is not just a subject of interest to colleagues
but of strategic importance for organisations and therefore requires
a renewed approach.
Anyone who does not adequately control the The second aspect concerns customer specifications for (ICT) security. In practice it appears that
risks associated with operational management clients mostly have high, fixed and comprehensive security requirements which, in most cases, are
in this turbulent and continuously changing essential preconditions for concluding business-like service contracts. Security has become a knock-
market, is simply not a serious business partner. out criterion in the selection of providers.
Actually it is no longer acceptable to approach
risk management in the traditional way (i.e. The final aspect relates to the issues surrounding ‘compliance’ as a consequence of the changing
defensive conduct, technical approach) or to legislation and regulations. For this, organisations need to demonstrate with hard evidence that,
regulate it in an ad hoc way. There is a major among other things, they are adequately managing the risks associated with ICT.
need for a new approach applying strategic and
structural consideration to risk management The aforementioned developments have resulted in risk management having to develop rapidly
and the system for it. This section looks at a and in a refined way in recent years. This evolution has meant that the previously technical and
model that is applied in practice in order to bring operational image of this crucial subject has now become a strategic issue. It is now the rule rather
organisation of information communication than the exception for risk management to be on the agenda of senior management, and to be
technology (ICT) in line with the corporate regarded as an important element of operational management. It is therefore necessary that the
objectives, and to bring this up to the desired enhanced strategic image of risk management be defined more closely and given a higher profile.
strategic level gradually and in a measurable way. For this, a more modern approach, as set out in Fig. 1, is a requirement to secure the three key factors
We consider the thinking behind this approach in which together contribute to enhancing the added value of risk management.
the following sections with the aim of achieving
this with risk management organisations so Firstly, the aims covered by risk management need to be separated from and subordinated to
that these are structured and managed based the business demands and aims. These will be appropriately linked to the vision and objectives of
on the corporate vision, set up and strategically the organisation.
managed based on measurable results.
Secondly, risk management should be routinely implemented according to a structured approach.
2.1 Focus on risk management With this model system, clear, achievable milestones can be laid down with the associated stages
and interim results.
The increasing focus on risk management is
a trend that is mainly the consequence of Finally, indicators should be defined to measure performance and to use as input for reporting on the
three key aspects. results achieved. Using these, risk management can be aimed for and corrected in a timely way so
that the intended goals are pursued in a visible way.
The first aspect is the continuing growth of
ICT whereby this field has evolved into a fully- Figuur 1. Een modernere benadering van risk management
fledged industry which has now penetrated
the core of our information society. On the one Business requirements and aims
hand, the explosive use of this new technology
in organisations has led to more efficient
int
implementation of day-to-day activities resulting
po
In
in a great reliance on it. On the other hand,
di
g
Risk management
Risk management
to
ca
t
in
use of ICT has introduced new risks which ar
System
rs
must be mitigated by means of various types St
of measures.
Vision & objectives Measuring
of the organisation performance
& reporting
Systematic approach
Toegevoegde strategische waarde
Organisation
4 Strategic system for risk management – Models and growth phases Strategic system for risk management – Models and growth phases 5
4. 2.2 Generations of risk management The exponential use of the Internet in the 1990s led to the large-scale adaptation of this medium Fig. 2 requires a method that offers the chance to are therefore focused on the technology with most resources spent on operations and management.
by organisations, mainly for doing business and communicating with the outside world. Operating take into account the vision and objectives of the The project and service activities are carried out ad hoc and there are no formalised procedures,
The evolution of risk management has
processes were set up for Internet use. This way of working required the internal ICT structure to be organisation, outlines the steps for managing a cost estimates and planning for work. The available aids are not uniformly applied and the defined
manifested itself in four generations. As well
connected to the non-secure Internet, whereby organisations were confronted with what were then systematic approach, and offers aids to achieve performance indicators are aimed only at technical performance.
as rapid technological developments, each
to some still unfamiliar risks, including hacking and viruses. It then became clear to organisations the intended goal and to display the results
generation has focused on a different aspect
that the infrastructure and other key operating properties (e.g. data) needed to be protected in a achieved. In this way it can be ensured that there The second growth phase, control, reflects the situation in which the role of the users appears different
with intrinsic business value and with specific
structured way against risks of various kinds. ICT security thereby attracted the attention of senior is an adequate risk management organisation compared to their role in the previous phase, the technology is under control and there is sufficient
security problems. When organisations started
managers and found a place on their agenda. Consequently, the use of methods and standards that supervises the achieving and maintaining focus on aspects of controllability with the aim of efficient production. In this phase users start to
using computers in the 1960s, the main focus
became popular as a routine approach to security. This then resulted primarily in the implementation of a balanced coordination between business make choices instead of passively following. Processes are reasonably controlled and documented,
of suppliers was on processing power and
of the Code voor Informatiebeveiliging (CIB) and Information Technology Infrastructure Library (ITIL). requirements and aims (demand) and the and are not customer-oriented. The ICT organisation is preoccupied with creating efficiency through
functionality. Hardware and software were only
Security Management to meet the demands and requests made by business. technology in use (supply), and that initiates responsible planning and budget control. Operations and management make optimum use of
accessible to individuals with special privileges.
and monitors any actions required. We have available resources and focus on the process quality using standards. Project processes are replicable
They had access to centralised computer
Awareness is now greater than ever that risk management is not only an ICT issue as was previously opted for a proven strategic model to shape and the responsibilities for the service activities are defined with an internal focus on costs and
systems which were located in physically secure
the case in the past generations shown in Fig. 2. This subject has undergone an impressive evolution risk management as a crucial part of today’s efficiency among other things. In the control phase, the performance indicators are directed towards
surroundings. These systems were run using
resulting in a move from technology to business-orientation. This is seen as logical and is actually progressive organisation, to plan requirements the scope of application of norms and standards.
punchcards and produced printouts as a result
a movement that is sincerely applauded by many. To most modern organisations, therefore, risk and wishes in a balanced way and demonstrably
of this batch processing. The computer systems
management is regarded as an essential business aspect and is therefore incorporated in processes. to measure the performances achieved and to Fig. 3. The growth phases of ICT organisations
at that time were expensive and also vulnerable
report at the correct aggregation level.
to human error and environmental changes
Due to this in some ways revolutionary change, a strategic dimension has been added to the way in
such as temperature. Centralised computer
which organisations interpret risk management. Risk management has therefore acquired greater 2.3 Growth model
systems were therefore located in an area with “Proactively contribute” Business-oriented
significance and has become a fixed element of any go-ahead and risk-aware organisation. This has The high-level transformation of ICT organisations
restricted access which was only granted to
resulted in the dawn of a new era where risk management is seeing a clear strategic focus and was initially discussed in the late 1980s. This
authorised individuals. Security was a simple
prioritisation and offers clear added value to the organisation. reorganisation and growth included the
task as, owing to the processing restrictions,
and circumstances, it was not possible to fundamental reorientation of ICT related “Translate customer demands” Customer-oriented
gain free access to computer resources. This Fig. 2. Generations of risk management products and services. The aim was to make this
offered added value to business which did not innovative technology more adaptable for
make such high demands (Amoroso, 1994). organisations so that it could meet demands
“Define performance”
Automation supported operating processes and and requests more flexibly in the long-term. Service-oriented
tried to follow operating processes as closely A model was then used principally to facilitate
Strategic
Business value
as possible. growth of ICT organisations in an integral and
dimension structured way so that the intended strategic “Efficient production”
As hardware became smaller and cheaper Renewed approach and integration in processes level is achieved. Using this growth model it is Control
and with the rapid development of network thereby possible to systematically create a a
gradual, controlled transformation process. The “Guarantee availability”
technology, in the 1970s and 1980s it became
possible to access computer systems remotely
Systematic ICT organisation can thereby be made
approach Technology-driven
with the result that the primitive physical sufficiently adaptable and be adequately
security measures were inadequate. Batch Attention to structured method of working coordinated with the future direction and
processing was enhanced by what is known objectives of the organisation. Any growth phase
as ‘multi-programming’ whereby computer of the model illustrated in Fig. 3 has its own
systems were able to carry out a number of tasks Identification features, areas of interest and performance The third growth phase, service-oriented, represents the situation in which users fulfil a more active
simultaneously. This required controlled access & authentication indicators of which the most important are role, processes are not yet fully client-orientated and the focus is on short time-to-market (internal
to programs and data stored on computer Focus on authorised access explained in brief. focus), and on delivering quality products and services, and production achieves a good price/quality
systems. For this, initially Job Control Language ratio. Users are not just allowed to but do make choices as in the previous growth phase. These
(JCL) was used to prevent unauthorised access The first growth phase, technology-driven, also determine the required and desired products and services to be supplied, and provide tangible
to data sets and hard drives. This security
Physical symbolises the situation in which users follow form on this issue. The ICT organisation is well aware of the standard of products and services that it
measure was adequate until it was made possible
security business demands and wishes, there is little can supply and defines the required performances for the issue. Operations and management offer
for end users to type in their own commands Ad hoc measures formal attention to problems and modifications, quality services and are cost-effective processes. Project activities are thus such that the process can
on the terminal linked to the computer system. and management is not affected by the still be implemented in the same way in an emergency situation and there is a basis for optimising
The arrival of this interactive processing option Generation processes. The ICT organisation is interested in it. With regard to service activities, Service Level Agreements (SLAs) are concluded and the services
introduced new security challenges as the the technology and places emphasis on creating thereby focus more and more on the client. Performance indicators are not yet based on innovation
initiated processes competed with each other and maintaining the data supply. The processes but are mainly focused on processes whereby services can be measured using the agreed SLA’s, on
for resources and processing time. Identification the finances giving a better understanding of the cost/service ratio per SLA and in the encroachment
and authentication of end users behind per service area, and on the client whereby it can be measured to what extent requirements and
the terminal then attracted most attention. wishes are taken into account in the concluded SLAs.
Separating their processes from those of others,
protecting their data against unauthorised use
and security of communication between the
terminal and the computer system also became
relevant problems to be fixed by implementing
adequate security to offer business value.
Operating processes are increasingly moduled
around the ICT options.
6 Strategic system for risk management – Models and growth phases Strategic system for risk management – Models and growth phases 7
5. The fourth growth phase, client-oriented, denotes The fifth and final growth phase, business-
the situation in which users play a prominent oriented, is the situation in which users occupy
role, processes are client-oriented and focus on a dominant position, primary processes are self-
short time-to-market (external focus). Users do explanatory and optimally set up, and constantly
not just indicate which products and services are updated. The openness of management
to be offered but have also taken ownership of and personnel over ‘lessons learned’ and the
this. The ICT organisation makes arrangements willingness to apply this accumulated experience
for the products and services to be provided is rewarded, and testing with different methods
and is able, through its client-oriented processes, and approaches is encouraged. Users are
to implement the set requirements and to not just the owner of the ICT products and
anticipate the client’s wishes (reactive). The services, but also dictate developments in the
account management process is defined so that ICT organisation. This organisation proactively
a suitable, appropriate contact partner is present delivers added value to the client’s primary
to ensure that the end result is in accordance process, continuously follows developments
with the client’s expectations and specifications. in the subject and is able to implement radical
The project activities are managed in such a changes. Project activities are enhanced by
way as to achieve a noticeable improvement continuously adjusting them. In this phase the
in quality. Service activities are carried out focus is on the coordination of the process in
internally and externally so as to offer maximum contrast to the previous growth phase where
‘value for money’. Performance indicators from attention was mainly focused on optimising
the previous growth phase can also be used for products and services. Service-oriented activities
this growth phase. are in the nature of a partnership and are
proactively directed towards the changing user
organisation. Performance indicators for the
Using this growth processes are based on optimum management
of any overheads, and the finances focus on the
model it is thereby cost/benefits of the ICT organisation. As regards
the client, it is measured how this organisation
possible to offers support. Blank indicators are also used to
monitor the progression of process optimisation.
systematically
create a gradual,
controlled
transformation
process.
8 Strategic system for risk management – Models and growth phases Strategic system for risk management – Models and growth phases 9
6. 2.4 Process model Fig. 4. Nolan process model
In Fig. 3 different growth phases are shown with
the associated features and points of focus. Management
& Organisation
Using this, ICT organisations are able to
determine the current and the target position so Management
& Organisation
that they can achieve any desired growth. Based
on the vision and objectives, a route should be
mapped which is used to specify how to pass
from one growth phase to another. The well-
known Nolan process model, the cloverleaf
model, is used for this purpose and presents the
aspects that should be in balance so that an Processes ICT infrastructure
Effectiveness of
effective ICT organisation can be discussed. The risk management
process model is split into two parts, i.e.: supply Processes ICT infrastructure
Effectiveness of
and demand. The demand side reflects the risk management
processes and their connection and emphasises
the end users and their dominant culture which
together form the demand side. In other words,
the demand side, also known as the business
side, stipulates the demands and wishes that
must be met in order to be able to achieve the
vision and objectives of the organisation. The
supply side relates to the way in which ICT is
managed and organised whereby special attention
is given to policy, structure, planning, procedures
and work instructions. This part also relates to Humans & Culture
the infrastructure on which the actual ICT
operations are carried out in order to be able to Humans & Culture
deliver the required functionality. In other words,
the supply side, also known as the ICT side, offers
the support required and desired by the demand
side in order to facilitate achieving the vision and
objectives of the organisation. We have tailored
the process model to the risk management
organisation and illustrated it in Fig. 4.
A self-assessment is carried out using the process Fig. 5. Plateau planning model
Vision &
model, the result of which provides a picture objectives
of the phase in which the ICT organisation is Plateau N
situated. Taking into consideration the vision and
Vision &
objectives
objectives of the organisation the target phase Plateau N
can be established after which a route to this
desired position should be planned. Plateau plans Plateau I
can be made for this, taking the Nolan process
model as a basis and adapting it to go through
Plateau I
anticipated growth in a phased, controlled and
balanced way. For any transformation it must be
clear what indicators are to be met in order to
reach a subsequent phase. These indicators are
spread over the aspects of the process model
on which the plateau planning per growth is Start plateau
phased towards a subsequent phase. A graphic
representation of this starting point is presented Start plateau
in Fig. 5.
10 Strategic system for risk management – Models and growth phases Strategic system for risk management – Models and growth phases 11
7. 3. Growth phases in data security
and risk management
As already explained, there is a need for a more Fig. 6. Application of the growth phases to data security This phase is suitable for (parts of) organisations 3.1.4 Customer-oriented 3.1.5 Business-oriented
modern method for the strategic dimension of for which information and ICT are under control In this phase risk management is aimed at
In this phase risk management is specifically
risk management with the aim of making data and play a general supportive role to the primary added value and confidence in the entire sector,
tailored to users of the services who are
security and risk management more adaptive. operating processes. It is not at the heart of chain or part of the company. There is talk of
Business-oriented: regarded as the prominent client for whom
Using this new approach it should be possible to the organisation but appropriate care based consistency and ‘governance’. The conduct of
Risk management is aimed at chains. a fixed contact is appropriate. In addition risk
take the organisation’s vision and objectives as a “Chain management” Compliance is in accordance with legislation on norms and standards is desirable on which the organisation is proactive and is predictable
management is organised for the benefit of the
starting point, apply a systematic approach, set and regulations. Performance-indicators performance indicators are based. The use of and transparent such that this trust in continuity
focus on governance. client and the effectiveness of the operation of
the desired goals in a phased and controlled way data and ICT is reasonably uniform: no major is guaranteed. The framework of standards for
the security measures is made transparent to
and demonstrate the achieved performances. risks should occur. this is mostly specifically developed or is often
Client-oriented: the client. The client knows in advance what
In our view the growth model and the process laid down in external, public standards or in
“Demonstrate compliance” Client recognises risks. Risk management and the client-related risks are and formally registers
model can adequately meet these requirements. Note that this phase is also very suitable for legislation and regulations. Compliance with this
compliance is client-specific. Performance-indicators these. This registration normally takes place
tailored to client-specific service and security agreement. situations in which organisations share data framework of standards is organised within the
in the form of a security agreement in which
Risk management organisations may be in or ICT resources with each other, for example, sector. There is often an external regulator.
agreement is reached. This client demands to
various growth phases and aspiring to the Service-oriented: in a collaborative arrangement. Thus almost
be informed by its contact over compliance with
required change in order to achieve the intended “Risk analysis” Which risks pertain to the service. Risk management all multinationals have defined a basic level Naturally, banks and insurers belong in this
is generic and is directed at the provider.
the arrangements made and over the agreed
goals. This growing transformation requires of security for data and the ICT infrastructure phase. Regulation here is carried out by De
Performance-indicators focus on general specific performance-indicators. ‘Separation of
a tool that balances supply and demand. The which the various units within the organisation Nederlandsche Bank (DNB), under the Financial
service and SLA. duties’ and contrasting technical and regulatory
process model is adequate for achieving the share with each other. Supervision Act (Wet op het financieel toezicht
duties are an integral part of this.
required aspects for the desired balance and Control: - Wft). Listed companies are also expected to
serves as a basis for gradually and systematically “Baseline” There must be a basic level. Do what is normal. Keep in step
with others. Risk management is focused on measures.
3.1.3 Service-oriented Organisations with a more than average high be in this phase. The Code Tabaksblat (Dutch
achieving the required and desired growth. corporate governance code) relating to sound
Performance indicators based on norms and standards. The service-oriented phase is the first phase in risk belong in this phase. Examples of these
“Incident-driven” which risk analysis plays a real part. There is an are certain parts of the administration and business management, the Sarbanes-Oxley
3.1 Growth model Technology-driven: awareness of the risks to one’s own organisation organisations with a social role and significance; (SOx) legislation and regulation by the Financial
The growth model is based on the ‘thinking in Non-formalised and technical management of ICT. Risk management associated with services or products. The risks organisations that have external liability and Markets Authority (FMA) are decisive here.
is focused on dealing with incidents and providing good back-up.
growth phases’ principle with the associated Performance-indicators focus on technology. are not specific to the purchaser of the services or organisations with major financial interests.
features, focus areas and performance indicators. products but are generic and/or are concentrated Service providers to this type of organisations
Depending on the type of organisation and its on the provider organisation. An example is an also fit in this phase. Note that these service
vision and objectives, the model can also provide email service provider. General risks that this providers are willing to offer the service tailored
a better view of the most suitable system for provider must confront because otherwise it is to the client’s risk.
data security. In our opinion, using the growth 3.1.1 Technology-driven 3.1.2 Control out of business relate to continuity and
model, organisations can assess the current In this phase, data security is controlled based In this phase there is at least a basic level of data availability of the service. For some years now, To expand the example of the previous phase: a
quality of the package of control measures and on incidents. If something goes wrong, repair security. This basic level may be accepted based virus detection has been added but more as a provider of email services should not just manage
activities, and whether this package is adequate, work is carried out. Whether a structural on an external standard, such as the Dutch Data service to the client than as a recognised risk. the general risks but also conduct an analysis
inadequate or perhaps excessive for the type of improvement takes place depends on the Security Code (Code voor Informatiebeveiliging), based on the concluded security agreement
organisation. In addition, the model also shows individual professionalism of those following up or based on ‘gut instinct’. The vision of the This phase is suitable for organisations that into the client’s use of the email service. If, so to
what the next step may be to achieving the level the incident, often those who have been most organisation is that the importance of data and provide a general service with associated speak, stock orders are placed by email there are
of ambition, if this has not yet been achieved. affected by it. There are ad hoc actions and ICT is such that there must be basic security, services for which an SLA is concluded. General then relevant risks over the identity of the sender
We would stress that the level of ambition must ‘what happened is just a glitch’. in line with what is customary for this type of ICT service providers, telecom providers and of the email, the confidentiality and integrity of
be appropriate to the organisation. Specifically, organisation. The motto is ‘following in the steps’ other providers of general infrastructure belong the content, prompt delivery, etc. This provider
this means that the aim is not the maximum This phase is suitable for organisations who of others. Security is not so systematic but more to this phase. should also offer the associated security
growth phase but the phase that is best suited approach information and ICT from a technical measure-driven. There is no basis for action services and make the operation of these
to the organisation. Fig. 6 shows a number of perspective and manage these key elements per se other than that the collection observes services transparent.
features and points for consideration for the in an informal way. The key security measures ‘good practice’. This collection of measures is
various growth phases, together with the type are creating a back-up, and dealing with security controlled: the organisation checks the on-going
of associated performance indicators. These incidents and the performance indicators are implementation of the measures at given times.
aspects apply to data security and are explained of a technical nature. The performance on quality of the implemented
in more detail below. measures is predictable.
“The objectives must be appropriate to
the organisation and do not need to be
top level per se”
12 Strategic system for risk management – Models and growth phases Strategic system for risk management – Models and growth phases 13
8. 3.2 Process model Use of this approach may encourage a dialogue between the different levels of the organisation. Management & organisation: ultimate Management & organisation: There is an external Processes: There is a transparent internal
This means that senior managers responsible for risk management, together with the rest of the responsibility for data security rests with ICT or regulator. Governance is organised in the sector. governance process that is aimed at on-going,
The Nolan process model is based on the
interested parties, must jointly determine the desired and achievable objective and work towards the information security manager. The other Participating organisations require a license from demonstrable compliance with the legislation
balanced-thinking principle which means that
it together. On the one hand this regulates sponsorship and on the other the involvement of responsibilities of staff departments and the the regulator. It is compulsory for companies and regulations from the external regulator.
organisation of risk management should take
various desired levels of the organisation. It is therefore a shared goal for strategically defining risk operational departments are also specified. within the sector to take part in the governance There is a joint governance process within the
into consideration the aspects that influence
management jointly. Fig. 7 provides a graphic illustration of this approach. In this illustration it is There is a form of organisation in which there process. The organisational form provides for sector in which the compliance of all players
the balance between supply and demand.
assumed that the result of Stage 1 (objectives) is the business-oriented phase and the result of Stage is coordination of activities, e.g. a project or periodical accountability to this regulator as well is relevant, e.g. due to public confidence in the
Depending on where the risk management
2 (baseline measurement) is the controlled phase. Based on these assumptions, the planned route to implementation group. as compulsory reporting of specific incidents / sector. Compliance management is integral to
organisation is and where it wishes to go, plateau
the desired goal and the scope of Stage 3 (interim measurement) are specified. It is also assumed that disasters. Key officers are made known to the the relevant processes; control of aspects of
plans can be created following a natural growth
the intended goal is achieved (Stage 4) and that any remaining risks are acceptable. ICT infrastructure: External links are controlled. regulator. Their personal integrity is examined. compliance is possible. The managers within
path to achieve this objective. We present a
For example, there are firewalls. Identification and Regulation is carried out based on ‘comply the company processes are accountable to
simple approach for this comprising four stages
Fig. 7. Approach for transforming risk management organisations authentication for access to network, platforms and explain’ (demonstrable compliance). The senior management by means of In Control
which are briefly described below:
and applications always takes place. Logical compliance structure provides for all officers or some other management declaration.
access security and authorisation control are set to be held accountable for their control over Risk management is also aimed at risks in
Stage 1: Objectives. The aim of this is to
“Chain management” up based on line management control. internal control measures which must take into respect of the whole sector and the social
determine the goal. The required and desired
Destination account compliance in their design and effect. interest. Public confidence and politics are
objectives (i.e.: technology-driven, controlled, Business-oriented
Destination reached Humans culture: The human factor is not examples of risks that may be taken on board.
service-oriented, client-oriented or business-
forgotten. Regular campaigns take place to The responsibility of senior management Authorisation control is set up in accordance
oriented) are analysed, delimited, defined and
promote awareness among personnel when includes: reporting on management supervision with external legislation and regulations.
recorded at this stage. To do this, interviews
“Demonstrate compliance” handling threats to data and ICT (security of risk management, including accountability of Division of duties integrated in authorisation
are conducted with senior managers, Chief
Progress analysis
Customer-oriented awareness). There are also rules of conduct, actions to natural persons, policy and control control; authorisation desk; maintenance of
Information Officer (CIO) and Chief Security
e.g. for handling emails, Internet use and other for risk management. Senior management is authorisations. Senior management endorses
Officer (CSO) with the aid of questionnaires.
services provided. responsible for and confirms externally that it and accepts responsibility for the effective
g
nin
has approved the risk management process system of continuity management (capacity
Stage 2: Baseline measurement. The aim
lan
“Risk analysis” Processes: The process of data security or and is informed of the effective implementation. management, business continuity and
of this stage is to determine the starting Service-oriented
ep
Information Security Management System Responsibilities of senior management also contingency planning). There are periodic ‘walk-
ut
point, to plan the route to the goal and to
(ISMS), is outlined and implemented. It is the include external reporting of on-going control of throughs’ and ‘emergency drills’, if necessary
Ro
document this. Here, the gap between the
starting point for day-to-day activities. Audits the risks of outsourcing and third party interests. with the chain partners. If the sector is closely
current situation and the objectives is defined “Baseline”
take place and there is the option of certification. interconnected or has become concentrated in
and laid down. To do this, interviews are held
Control The basic level is referred to in communication ICT infrastructure: The senior management one place, sector-wide continuity exercises also
with CIO, CSO, business representatives and Starting point with partners, clients and suppliers. Because this of the organisation reports, backed by audit take place. With regard to incident management
technical personnel. Questionnaires based on
“Incident-driven” is based on a public standard the stakeholders results and internal control declarations, on the too, senior management confirms that it has set
the process model are used for these sessions.
know what to expect overall. Additional assurance policy and guidelines as well as the scope of up effective incident management, and senior
Technology-driven can be offered, as stated, through certification implementation with regard to authentication, management accepts responsibility for the
Stage 3: Interim measurement. The aim
or through Third Party Audit (TPA). Within the non-rejection, integrity, division of duties, audit operation of this process.
of this is to analyse progress. Progress in
organisation joint processes are defined for, trails and confidentiality of specific information.
implementing the measures taken to achieve
at least, incident management, authorisation The security architecture allows for a transparent There is a structure for external and internal
the objectives is analysed and documented.
control and continuity. The organisation is interpretation of the functional requirements auditing that allows for all relevant audit
The relevant activities are based on the results
For clarification, we briefly explain the aspects of the process model for risk management organisa- aware of general statutory requirements relating into a technical implementation, including the items to be periodically covered based on the
of the baseline measurement with discussions
tions in controlled and business-oriented phases respectively. A number of features from each phase to, for example, privacy, computer crime and associated control processes. Classification is external and internal framework of standards.
held with CIO, CSO, business representatives
are clarified giving a better picture of the balanced approach to the system of risk management. intellectual property rights. carried out in the ICT infrastructure. An audit of the chain is also organised. Chain
and technical personnel.
partners have their own audits conducted. The
3.2.1 Control 3.2.2 Business-oriented Humans culture: Personnel may also be asked external regulator has issued regulations. The
Stage 4: Final measurement. The aim of this
explicitly to declare that they comply with specific organisation demonstrates compliance with
stage is to indicate whether the intended goal There is a security manual that contains at least the policy and a basic level for security. The organi- There are legislation and regulations specific codes of conduct. An example is that personnel these. There is awareness of other legislation and
has been achieved and/or any remaining risks sation has introduced a basic level of security. The measures are based on external standards and to the sector which are aimed at protecting are not permitted to hold any stake in clients of regulations for the sector. Senior management
are acceptable. Based on the results from the tailored to the organisation. The measures are not selected based on any analysis of what is required the stability of this sector as a whole, including the organisation. Adequate information is issued accepts and also confirms which specific
preceding stages the interviews required for but on good practices in the market combined with an instinct of whether a measure is appropriate the interests of chain partners and those of to clients. The responsibilities of the organisation legislation and regulations are recognised.
the final measurement are conducted with to the organisation or not. A sort of simple risk analysis at measure level. The organisation wants to consumers. There is a governance system set and the consumers are made explicit.
senior managers, CIO and CSO, the outcome keep in step with similar companies in the market. The organisation has a clear view of the imple- up to ensure continued compliance, or the
of which is recorded and distributed. mentation of this basic level because an audit is also conducted at this basic level. Any deviations are reporting of non-compliances.
systematically corrected.
14 Strategic system for risk management – Models and growth phases Strategic system for risk management – Models and growth phases 15
9. 4. Closing remarks
For some time now, risk management has
not focused just on identifying and analysing
technical risks and is also no longer a specific
subject for colleagues. Risk management has
now become an important part of day-to-day
operational running and enjoys the attention
of senior management of organisations
in different sectors. The high standards of
legislation and regulation and of this dynamic
market together with the continued growth of
ICT have meant that the traditional approach
to risk management is no longer adequate. A
new method is required taking into account the
business vision of the organisation, a systematic
approach is encouraged and the performances
achieved can be measured. This approach is
really necessary in order to continue living
up to the strategic image now gained by risk
management. In this article for this purpose we
have used standard models and growth phases
of the ICT industry with the aim of bringing risk
management organisations up to the required
strategic level. To do this, we have combined the
theoretical knowledge of the models and phases
with our own practical experience. We thereby
hope to make a contribution to positioning
risk management in organisations so that its
added strategic value becomes and remains
more obvious.
16 Strategic system for risk management – Models and growth phases Strategic system for risk management – Models and growth phases 17
10. Bibliography
Amoroso, E.G., Fundamentals of computer security technology, Englewood Cliffs, New Jersey,
Prentice-Hall International, Inc., 1994.
Bladel, P.J.C. van, Bremen, R. van and Schoubroeck, R.H.I. van, Van aannemer naar architect:
Informatievoorziening in perspectief, Deventer, Kluwer Bedrijfs- Informatie B.V., 1996.
Coumou, C., Kroeze, H. and Zwan, K. van der, Trends in IT-beveiliging 2006, Platform
Informatiebeveiliging / Sdu Uitgevers bv, 2006.
Daanen, H.T.M. and Koning, M.S., Uitbesteden vraagt om volwassen partijen, Compact 2000/3.
Delen, G., World Class IT: Investeren in ICT: alléén met Benefits case, KPMG Consulting / Uitgeverij
Tutein Nolthenius, 2001.
Heemstra, F., and Snel, R., Veel misverstanden over risicomanagement, Automatisering Gids #14, 7
April 2006. Overbeek, P.L., Towards secure open systems, 1993.
Overbeek, P.L., Security matters: Mata Hari aan de Vliet, IT beheer, June 2006.
Overbeek, P., Roos Lindgreen, E. and Spruit, M., Informatiebeveiliging onder controle, Pearson
Education Uitgeverij BV, 2000, ISBN 90-4300-2895.
Overbeek, P., Roos Lindgreen, E. and Spruit, M, Informatiebeveiliging onder controle: Grondslagen,
management, organisatie en techniek, 2nd edition, Pearson Education Benelux, 2005.
18 Strategic system for risk management – Models and growth phases Strategic system for risk management – Models and growth phases 19