3. 1. Document risk management
Four questions about document management
1. What is it?
2. Why does it matter?
3. What if it fails?
4. How to protect against failure?
1.DocumentRiskManagement
4. 1. What is it?
corporate documents
all type of documents
created or received
by employees
during business
activities
1.DocumentRiskManagement
6. What is a document management
programme?
• Systematic management of the
entire document lifecycle of
corporate documents, including:
– an inventory of records
– which records to keep
– which records to archive
– which records to destroy
1.DocumentRiskManagement
7. About document management
2. Why does it matter?
– control of the cost of storage
– control of the risk
3. What if it fails?
– risk of inefficiency
– risk of loss and compromising of records
– risk of infringement of data protection laws,
prosecution, fines
– risk of reputational damage
1.DocumentRiskManagement
8. About document management
4. How to protect against failure?
1. document management programme.
2. document RISK management programme.
1.DocumentRiskManagement
9. 2. Document Risk Management
• Documents contain information: often a valuable
intangible asset of corporations.
Document risk Information risk.
• Risk is the effect of uncertainty on objectives.
• Organisations want predictable results need to
manage this uncertainty.
• Document risk can be efficiently managed by
implementing a comprehensive programme:
– compliant with internationally accepted standards
– by using validated and practical standard methods
1.DocumentRiskManagement
10. International Standards
(most relevant ones)
• ISO 31000: Risk Management
• BS 31100: Code of Practice for Risk
Management
• ISO guide 73: vocabulary
• ISO 27001 : ISMS
• ISO 27003: Implementation of the ISMS
• ISO 27005: Information Security Risk
Management
1.DocumentRiskManagement
12. Methods
1. Österreichisches IT Sicherheidshandbuch (Austrian IT
Security Handbook)
2. CRAMM (CCTA Risk Analysis and Management Method)
3. A&K analyse (Afhankelijkheids en Kwetsbaarheidanalyse)
4. EBIOS (Expression des Besoins et Identification des
Objectifs de Sécurité)
5. ISAMM or ‘Information Security Assessment & Monitoring
Method’
6. Information Security Forum (ISF) tools
7. MAGERIT
8. MARION
9. MEHARI
10.MIGRA
11.OCTAVE®
12.SP800-30 (NIST): Risk Management Guide for Information
Technology systems
1.DocumentRiskManagement
13. 2. EBIOS
• Comprehensive: set of guides covers the whole
process of ISO 31000.
• Professional: Developed by ANSSI.
• Validated: In use since 1995, club EBIOS since 2003.
• Practical: Club EBIOS manages a user network and a knowledge
Base.
• Open & transparent: can be customised by the user (vs. black box
approach of some other tools).
• Flexible: can be used for detailed as well as strategic risk
management.
• Universal: can be used for any type of risk.
• Integrated: compliant with (ISO) standards.
• Well documented: Training & documentation available.
• Cheap: can be used for free.
2.EBIOS
15. 5 EBIOS Modules
2.EBIOS By applying the 5 EBIOS MODULES: you are sure of
covering the ISO 31000 risk management process
16. 2.EBIOS
Activity 1.1: Definition of the environment for risk management.
•Action 1: framework, objectives and action plan
•Action 2: internal and external context
•Action 3: perimeter of the study
•Action 4: parameters to take in account
•Action 5: most relevant threat sources
Activity 1.2: Preparing the metrics
•Action 1: security criteria and scales
•Action 2: gravity scale (impact)
•Action 3: likelihood scale
•Action 4: risk scale
Activity 1.3: Identifying the assets
•Action 1: essential assets
•Action 2: supporting assets
•Action 3: interdependencies between them
•Action 4: analysis of existing security measures
SAMPLE
(Module 1)
18. 3. EBIOS CASE
• TELCO: small telecom installation company,
approx. 10 staff, works for telecom providers e.g.
as Belgacom, Telenet and others.
• Has many competitors, ‘price war’
• Is loosing market share and contracts to one
particular competitor in particular
• CEO fears price info could be compromised
• Wants «document risk» study, about the offers
in particular
3.EBIOSCASE
19. Referecne
EBIOSMODULE
EBIOSActivity
CEO
Secretariat&Assistance
Resources
Studies&Calculations
Sales
Installers
Documentstodeliver
mandaysrequired
A
1
Activity 1.1 - setting the framework
for the risk management project
A I I C R I
Objectives of the
study
1
B
1
Activity 1.2 - preparing the metrics
R I I I I I
table with metrics
and scale
1
C
1
Activity 1.3 - identifying the assets
A C C A C C
table with essential
and supporting
assets
2
D
2
Activity 2.1 - identifying the feared
events
R I C C C C
inventory of feared
events
2
E
3
Activity 3.1 - evaluating the threat
scenarios A I C C R C
list of most relevant
threat scenarios and
likelihood
2
F
4
Activity 4.1 - assessing the risks
A C C C R C
risk assessment
matrix
1
G
4
Activity 4.2 - Treating the risks
A C C R C C
Information security
strategy for offers
3
H
5
Activity 5.1 - formalising the
required security measures
A I C R C C
Internal Security
Policy for Offers
1
TELCO: Document Risk Management: action plan3.EBIOSCASE
Module 1
20. Activity 1.1: FRAMEWORK
3.EBIOSCASE
2. Organisational Perimeter
3. Technological Perimeter
Module 1
1. Objective (set by CEO):
« reduce the risk for disclosure
of confidential offers to
competitors »
4. Parameters
-application of ISO 31000
-use of EBIOS
21. Activity 1.2: METRICS
3.EBIOSCASE
Module 1
1. Security (quality) criteria and
Scales
= scale for confidentiality
• Compromised (unknown)
• Compromised & detected
• Under control
2. Gravity and likelihood Scales
Gravity (=impact)
•Critical
•Important
•Unimportant
•Likelihood
•Almost certainly
•Possible
•Unlikely
3. Risk Criteria
RISK unimportant
impact
important
impact
critical
impact
unlikely
scenario
acceptable risk acceptable risk acceptable risk
possible
scenario
acceptable risk significant risk unacceptable risk
almost certain
scenario
unacceptable risk unacceptable risk unacceptable risk
22. Activity 1.3: Identifying the ASSETS
3.EBIOSCASE
Module 1
1. Essential Asset
• The offer (the price)
2. Supporting assets
•staff, equipment etc.
3. Feared event (IMPACT)
•Worst things that could happen to our essential asset
systematic compromising of our (offers) prices without we knowing
about it
4. Threat scenarios (LIKELIHOOD)
•How could feared events happen?
•By threats that affect the supporting assets
•Scenarios: corruption of persons, hacking of equipment, etc…
Module 2
and 3
Activity 2.1 and 3.1: Feared events
and threat scenarios
23. Activity 4.1: Assessing the risks
3.EBIOSCASE
Module 4
Activity 4.2: Action Plan
•Each risk: avoid, reduce, accept or transfer
•Cell phone hacked: accept
•Sales manager or studies engineer corrupt: accept
•Laptop lost: awareness campaign
•Sales mgr not careful: awareness clause in contract
•Wifi hacked: encryption of files + firewall
•Etc…..
RISK
unimportant important critical
unlikely -cell phone is hacked -sales manager or studies engineer
corrupt
possible -laptop is lost
-cell phone is overheard
-print outs of offers forgotten
on printer
-laptop is stolen
-sales manager or studies engineer
not careful
-wifi is hacked
-laptop is hacked
almost certain
IMPACTLIKELIHOOD
ACCEPT ACCEPT
Awareness Awareness
Encryption
24. Result of the study
1. Encryption of electronic documents containing price info.
2. The personnel shall report loss or theft of laptop computers
immediately.
3. It is not allowed to discuss price information over the cell phone
when this can be overheard (e.g. in the train)
4. Paper documents:
-When offers are printed the personnel shall use the PIN code.
-Shredders shall be used to destroy all paper drafts.
-All hard copies shall be locked away.
-A clean desk policy shall be applied.
5. The personnel shall sign a confidentiality agreement.
6. Any loss or compromise of price information shall be reported to the
CEO immediately.
3.EBIOSCASE
25. 4. Conclusions
• Documents and records need to be managed to avoid
cost & risk.
• Risk = effect of uncertainty on objectives.
• Uncertainty needs to be managed because corporations
want predictable results
• Document risk should best be managed in line with
international standards and by using existing methods.
• EBIOS is an example of a comprehensive method which
can achieve this.
4.CONCLUSIONS
Notas do Editor
Planning: 1 minute
Timing: 2 minutes
document management is about all the documents that are used by employees in the context of their professional duties, regardless of the form of the document (paper, electronic file etc)
As illustrated in the drawing
Timing: + 3 minutes
the same info in a document can be exposed to different types of risk in function of the stage in the lifecycle
Timing: + 4 minutes
Timing + 5 minutes
Timing + 6 minutes
Timing + 6.5 minutes
Timing + 7 minutes
Timing + 7.5 minutes
Timing + 8.5 minutes
Timing + 9 minutes
In EBIOS you are free to use all the modules, actiivties and actions or only a part of them
You can go in detail as much as you want, or not at all
You can change the order of things and adapt the method to your own needs
Timing + 10 minutes
Timing + 11 minutes
Timing + 12 minutes
Timing + 13 minutes
Timing + 14 minutes
Not going in detail of the action plan, just explaining that EBIOS offers detailed guidance for how to make an action plan.
Here we agree on what we will do and what we will deliver, and what not.
To my personal sense this is a good method but of course a risk manager is free to use an other method for this (flexibility of EBIOS), for example if there is already a standard tool for this in the company.
Timing + 15 minutes
EBIOS foresees to make clear agreements (framework) before starting the detail of the study.
It is very important indeed that some basic assumptions (for example the objectives or the perimeter, what is included and what not) are not changed halfway the study.)
Timing + 16 minutes
Metrics are the way we will measure things
In EBIOS this is done beforehand, so that the study is as objective as possible
(it is very difficult to do an objective risk assessment if the scale is not agreed upon)
The likelihood and the gravity can as well be quantitative or qualitative (description)