I NFORMATION S YSTEMS C ONTROL J OURNAL, VOLUME 2, 2008Copyright © 2008 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.1Key Elements of an Information RiskManagement Program:Transforming Information Security Into Information Risk ManagementBy John P. Pironti, CISA, CISM, CGEIT, CISSP, ISSAP, ISSMPInformation security and protection are critical to anorganization, but cannot guarantee its success. To facilitateeffective protection of information, a risk managementapproach that balances the need for information securityagainst the needs of the organization enables the organizationto be efficient and successful in its activities. Information hasalways had associated value, but only recently have capable andmotivated adversaries truly understood and exploited this value.The current trend in global enterprises has been to establishindividual organizational units to address compliance,information and physical security, privacy, and operational andfinancial risk to facilitate corporate governance in each of theseareas. Each of these groups is effective at achieving its owngoals; but because they work independently and are aligned toseparate leadership, they may not achieve the overall goal ofeffective information risk management. By combining thesegroups into a singular business function or organization,effective information risk management is possible.Why Is Information Security So Challenging?Information security is the most challenging aspect ofinformation processing because it is ever-changing andevolving. The simple reason for information security being sochallenging is that the adversary only has to be right once, butthe defender has to be right all of the time. The defender isplagued with a lack of investment, resources, time andknowledge. The organization expects the defender to be able toprevent any damage to its information infrastructure, even withthe limited resources and capabilities available to it. As soon asthe defender creates and implements a control or set of controlsto defend against an attack from an adversary, the adversarydevelops a new and more effective attack that forces thedefender to develop yet another control. Ethics, laws, morals, lack of funding and lack of resourcesdo not restrict adversaries. The global communicationcapabilities that have grown as a result of the adoption ofInternet capabilities have allowed the adversary community tocome together, without ever having a verbal or in-personconversation, to develop innovative attacks, share research andknowledge, and develop capabilities that far surpass what anyone organization could achieve. The best chance the defenderhas to defeat the adversary is to take a risk managementapproach to information protection that facilitates theprotection of the essential and critical elements using theavailable resources and capabilities.Current State of Information SecurityInformation security still narrowly focuses on the use oftechnology to mitigate threats. Experience has proven thatpolicy, process and procedure, complemented by technology,provide more effective defense, in most cases, than technologyalone; however, most do not routinely implement thesecomponents. This is because policy, process and procedure aredifficult to implement and operate compared to the instantperceived value achieved by purchasing and installing atechnological control. This lack of patience has allowed thethreat landscape to expand and the ability for adversaries toexploit information infrastructure to significantly increase.There is also a very dangerous global trend today known as“security by compliance.” This is the act of focusing allinformation protection efforts on requirements established bygovernment and industry regulations. Regulations such as thePayment Card Industry (PCI) standard, US Sarbanes-Oxley Act,European Data Protection and Privacy Act, and informationdisclosure laws provide guidance on the protection ofinformation in some form or fashion. Some of these standards,e.g., PCI, provide prescriptive guidance on the specifictechnologies and controls that an organization needs toimplement, even though the controls may not be effective oreven relevant to that organization. This concept is extremelyrisky since it focuses the organization’s efforts on meetingcompliance standards instead of understanding and mitigatingthe actual risks and threats to its information and informationinfrastructure.The threat landscape organizations face has dramaticallychanged in the past few years. The attack community hasshifted its focus from proof of concept and status-seekingattacks to highly targeted, highly effective and nonadvertisedattacks. This means that the traditional intelligence,technological control frameworks, and methods and practicesused to protect information and information infrastructure mayno longer be effective, or may have a reduced level ofcapability. Organizations must implement new capabilitiesbased on risk-based decision processes and frameworks to facethis new challenge.Information Risk Management vs.Information Security Information risk management defines the areas of anorganization’s information infrastructure and identifies whatinformation to protect and the degree of protection needed toalign with the organization’s tolerance for risk. It identifies theI NFORMATION S YSTEMS C ONTROL J OURNAL, VOLUME 2, 2008business value, business impact, compliance requirements andoverall alignment to the organization’s business strategy. Oncethis information has been identified, it can be presented to thebusiness leadership to make decisions about the level ofinvestment (both financial and resource) that should be utilizedto create appropriate information protection and riskmanagement capabilities.After making these decisions, the information security teamcan implement the appropriate capabilities to align with thebusiness leadership’s decisions. The information security groupidentifies threats, develops and implements controls, andmonitors the effectiveness of these capabilities on a regular basisto ensure alignment. The key difference in this risk managementmodel compared to the current information security state inmost organizations is the disempowerment of the informationsecurity team. In the risk management model, the informationsecurity team no longer has the authority within the overallorganization to make decisions of what to allow and not allowrelated to the security