An essential component of any Enterprise Risk Management (ERM) program today is IT risk management. With ever-increasing threats to privacy and information security, companies are looking to strengthen their risk governance processes in many ways.
A recent survey by Carnegie Mellon University’s CyLab highlights ten key steps to building a stronger ERM program with a focus on IT Risk. The CyLab 2010 survey is based on results received from 66 respondents at the board or senior executive level from Fortune 1000 companies. Twenty-seven percent of the respondents were board chairmen; 3 percent were outside directors; 47 percent were inside directors; and 50 percent were senior executives but not a board member. Forty-five percent of the participants were from critical infrastructure companies.
The survey revealed that governance of enterprise security is lacking in most corporations, with gaps in critical areas. If boards and senior management take the following ten actions, they can significantly improve their organizations’ security posture and reduce risk:
1. Establish a board risk committee separate from the audit committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with risk and IT governance expertise.
2. Ensure that privacy and security roles within the organization are separated and responsibilities are appropriately assigned. The CIO, CISO/CSO, and CPO should report independently to senior management.
3. Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues. This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO (or CRO), the CPO, and business line executives.
4. Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing these as corporate social responsibilities.
5. Review the components of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, disaster recovery, and breach response plans.
6. Establish privacy and security requirements for vendors based on key aspects of the organization’s security program, including annual audits or security reviews.
7. Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the audit committee.
8. Conduct an annual review of the enterprise security program and the effectiveness of controls, to be reviewed by the board risk committee, and ensure that identified gaps or weaknesses are addressed.
9. Require regular reports from senior management on privacy and security risks and review annual budgets for IT risk management.
10. Conduct annual privacy compliance audits and review incident response and security breach notification plans.
These steps should be integrated into a holistic enterprise risk management approach to provide an effective and seamless program that is fully embraced at all levels within the organization. Doing so will not only raise a company’s risk mindfulness level, but also secure positive returns for key investors and stakeholders for years to come.