Bug Watch: Why did the chicken cross the road?

This week, Clifford May, principal consultant at Integralis, sees that an old joke is still doing the rounds.

Although the 'why did the chicken cross the road?' joke seems to have had its day, crossing the road remains an excellent analogy for the processes involved in risk management. So perhaps putting into practice the principles that we learnt as children in the Green Cross Code can help us to create more secure businesses.

Every organisation needs to have a basic understanding of risk management if it is to reduce its vulnerabilities. Good risk management practices enable companies to make an informed judgement on the security measures they employ, while allowing them to save money by eradicating unnecessary controls.

The processes

The Green Cross Code gave us 'Stop, Look and Listen': three simple steps to safe crossing. Similarly, risk assessment follows a four-point guide.

Firstly, identify the most valuable information assets and the critical business functions and determine their true value to the business. This helps to determine the appropriate level of expenditure required to protect them.

Secondly, consider the true threat posed to those assets and functions, both externally and internally.

Thirdly, carry out a security audit in order to determine the company's strengths and weaknesses.

Finally, test existing control measures in order to establish their reliability.

Taking action

At the end of this process, you have usually identified a degree of residual risk. The primary aim in a risk management strategy is to reduce residual risk to acceptable levels, balancing the acceptance against the consequences of inadequate control.

Therefore, once the assessment has been completed, it's time to TAME the risk. Businesses can do any mixture of the following:

Transfer the risk to someone else, e.g. by taking out 'cyber-liability' insurance for your ecommerce site.
Accept that level of risk.
Mitigate the risk by the improvement of policies, procedures and control measures.
Eliminate all remaining risk. This could be the removal of a system from direct access to the internet or as extreme as axing a business function.

To help businesses work towards improving their security, recognised standards can be used as a template for the development of policies and best practice guidelines.

Following a risk assessment, companies are in an ideal position to start working towards standards like BS7799. This flexible framework allows businesses to tailor their information security infrastructure to meet their specific needs.

Certification to an internationally recognised standard proves to staff, customers and trading partners that you take security seriously, their data is safe in your custody and you have independent verification of the fact.

Small companies do not usually have the financial resources to implement comprehensive information security measures and may choose to 'take a gamble', but would you take a chance with your company's intellectual property?

It is becoming increasingly popular for businesses of all sizes to outsource IT security requirements, allowing them to sleep safe in the knowledge that their security requirements are being monitored and updated 24/7 behind the scenes.