Economic Downturn Underscores Need for Proactive Measures To Safeguard Data and Minimize Risk

As the economic outlook declines, crime increases. And, for the business community, those who do not take action to protect their most valuable commodity - Information - the results can be devastating. Silka Gonzalez, president of Enterprise Risk Management, offers several steps that a company should take in order to identify, analyze and prioritize security risks that may compromise data security:

Coral Gables, FL (PRWEB) November 19, 2008 -- As the economic outlook declines, crime increases. And, for the business community, those who do not take action to protect their most valuable commodity - Information - the results can be devastating. In addition, with the U.S. unemployment rate at its highest in 20 years, the risk to data security is increased exponentially, as hackers are more desperate to gain access into networks.

The U.S. Department of Labor has warned that 93% of businesses that experience a significant data loss go out of business within five years. "Of those companies 43% go out of business within the first year, and 72% go out in the second year," according to the Disaster Recovery Journal, a leading publication dedicated to the importance of contingency planning in the event of an disastrous occurrence.

"While identity theft is on the rise and has received the most significant amount of media attention, this is just one of many areas where companies are vulnerable," says Silka Gonzalez, president/founder of Enterprise Risk Management (ERM). "As security, regulations and privacy issues increase, today's businesses must face the daunting task of managing risks. The best way to ensure that a business stays on top of potential security problems is to take measures before a breach occurs."

Gonzalez recommends several steps that a company should take in order to identify, analyze and prioritize security risks that may compromise data security:

Step 1. Inventory of Information Assets

Identify information assets such as applications, electronic documents and physical documents used by the business in its day-to-day operations. The information collected should include the name, type (application, physical document or electronic document) and area/department responsible for the asset, as well as a description and the actual location of the asset.

Step 2. Classification of Information Assets

Classify all the assets according to the organization's information classification scheme. The classification process should rank assets in terms of sensitivity. After the assets are assigned a classification, each asset must be evaluated in terms of three primary security components: confidentiality, integrity and availability.

Step 3. Threat Analysis

Identify existing threats that affect the company's information assets. Threats may include viruses, spyware, disgruntled employees, electrical disturbances and vandalism. Each information asset must be evaluated in relation to the defined threats. For each threat, a value must be assigned to the probability that the threat will materialize and another value to the level of impact that would be incurred if the threat were to materialize. A final risk factor is determined for each information asset, followed by prioritizing assets in relation to risk levels.

Step 4. Security Control Analysis

Identify existing security controls for each individual information asset and recommend additional controls that should be in place. This analysis includes the detailed testing of all logical, physical and administrative security measures and delineating controls that would minimize each threat. For example, the threat of an incident could be minimized if adequate controls were in place in the form of an incident response plan that contains critical business function recovery plans such as resource requirements definition, team member contact lists, detailed recovery activity lists and procedures, as well as, off-site requirements. The main purpose of this step is to ensure that all assets found to have the highest final risk factors in the previous step have adequate and proper security controls in place.

Depending on the nature of the business, some controls are more relevant than others. Employee education and awareness is considered the first line of defense for security problems such as identity theft.

In addition to these internal steps, Gonzalez recommends that companies consider third party assessments of their network infrastructure, IT Systems, application platforms and database platforms to determine potential security breaches from the outside. These assessments may include penetration testing and vulnerability assessments which assess the strength of security systems as well as exposure to internal and external intrusions.

"These assessments should be performed on a regular basis to identify new risks," adds Gonzalez. "Whether significant internal controls have been implemented or not, security assessment and implementation must be reviewed, fine tuned and optimized to ensure strong and continuous security risk reduction and management."

Based in Coral Gables, Florida, ERM was founded by Silka Gonzalez in 1998. In the ever-changing world of information technology, the scope of ERM's services has evolved to serve the comprehensive needs of an industry that has seen massive changes in regulation, legislation and increased risk - from both internal and external sources. In addition to IT Security and Risk Management, ERM offers IT Audit, Forensic Services, Regulatory Compliance Services and Attestation Services, as well as, specialized security and regulatory training. ERM provides high caliber and cost-effective services to a wide variety of clients, from small business owners to multinational corporations. For more information, visit www.emrisk.com or email info@emrisk.com.

About Silka Gonzalez, Founder/President of Enterprise Risk Management

With more than 20 years experience in IT Security and IT Auditing, Gonzalez is a Certified Public Accountant, Certified Information Systems Security Professional (CISSP), Certified Information Systems Manager (CISM), Certified Information Systems Auditor (CISA) and a Certified Information Technology Professional (CITP). She also is a published author on current issues in IT security and IT auditing, including SAS 70 Reviews, E-Discovery, and Identity Theft. Prior to the formation of ERM, she was a consultant with Price Waterhouse, where she managed IT and business services. She also managed information systems audit and security functions at large corporations and was Manager of Information Systems Auditing for Diageo PLC and Informations Systems Security for American Bankers Insurance Group (Assurant Solutions).

She currently serves on the board of the Miami chapter of ISACA (Information Systems Audit and Control Association) and is the past president of the Miami chapter of the Institute of Internal Auditors.

###