Enterprise risk management is the process of planning, leading and controlling the activities of an organization in order to minimize the effects of risk on an organization's capital and earnings. In recent years, external factors have fueled a heightened interest by organizations in enterprise risk management. Industry and government regulatory bodies, as well as investors, have begun to scrutinize companies' risk management policies and procedures for compliance. In an increasing number of industries, boards of directors are required to review and report on the adequacy of risk management processes in their organizations.
In this package, learn how organizations and their CIOs can practice enterprise risk management holistically, including implementing the proper risk management methodology, data protection solutions, network access control, cloud computing security and compliance risk management. You will find news, trends, case studies and other resources aimed at providing enterprise risk management solutions to help you make informed decisions in all facets of your organization.
This guide is part of SearchCIO.com's CIO Briefing series, which is designed to give IT leaders strategic guidance and advice that addresses the management and decision-making aspects of timely topics. For a complete list of topics covered to date, visit the CIO Briefing section.
- How can I get started with a risk management methodology?
- What data protection solutions can I employ?
- How can I practice network access control?
- How can I ensure cloud computing security?
- What do I need to know about compliance risk management?
- More resources
| How can I get started with risk management?
Table of Contents
According to the Balanced Scorecard framework, in addition to marketing or sales budgets and overall revenue and profits, enterprises should measure intangible assets such as customer relationships, excellence in process operations, employee skills, data and information systems and even the corporate culture.
"If you can't measure, you can't manage and you can't improve upon your corporate success," explained Balanced Scorecard co-developer Robert Kaplan during a presentation at the recent Gartner Business Intelligence Summit in National Harbor, Md.
And today, organizations need to include risk management among the key performance indicators that they measure.
"Financial performance is a lag indicator," Kaplan said. "Now we're seeing the consequences of not making risk management a strategic part of strategy," such as the riskiness of corporate investments that have resulted in huge losses to financial services firms.
Learn more in "Balanced Scorecard founder: In recession, think risk management." Also:
- Risk assessment frameworks easy to employ
You can't protect what you don't know you have. Employing a risk assessment framework should be a priority for midmarket organizations.
- Unearthing the potential paybacks of enterprise risk management
In this tip, we delve into the guts of enterprise risk management, discuss challenges and potential paybacks and provide some best practices for making it work.
- Gartner: Future IT security jobs to focus on risk management strategy
Gartner predicts that by 2016, maturing technologies will supplant many security experts. The jobs that survive will be all about risk management.
| What data protection solutions can I employ?
Table of Contents
Enterprise data protection requires a holistic program that encompasses people, process and technology. Too often, the emphasis is placed on technology when all employees in a company must play their parts, such as following good password guidelines, for the program to be effective. The following are some examples of best practices for adhering to a data protection policy:
Implement a data classification program that focuses on customer, financial and intellectual property information with designated owners of the information. Data protection categories should include confidential, internal use and public, and it's important to put the appropriate controls in place to protect this information. For example, public data should be reviewed to ensure that sensitive information such as future product plans are not released outside the company.
Find out more in "Seven tips to improving enterprise data protection." Also:
- Database security: Who should have access?
The only users who should be allowed full access to any data store should be your system administrators. What about everybody else?
- Data protection trumps threat pursuit in SMBs' 2009 security spending
Security strategy is growing up fast at small and medium-sized businesses, says a new report from Forrester Research Inc. Smaller firms will spend more as they approach computer security more like the enterprise.
| How can I practice network access control?
Table of Contents
Forrester Research, predicting a blockbuster year for network access control (NAC), says this watchdog technology is fast becoming "a critical component in making many security initiatives efficient and a seamless part of the network infrastructure." Nearly 25% of all enterprises have already adopted NAC and an additional 15% will do so by the end of 2009, according to the Cambridge, Mass-based firm.
Meantime, Gartner Inc. in Stamford, Conn., has spent the past three years encouraging enterprises to look at NAC as an important piece of network hygiene, said research director Lawrence Orans. "This is such a valuable defense that you can add to your network. Our advice is start doing NAC now," he said.
Learn more in "Network access control evaluation tips: NAC systems insights for CIOs." Also:
- CIO turns to identity and access management to solve business problem
Growth and turnover made user provisioning a huge task for business owners and IT at one organization, before a major effort to classify users and deploy an identity and access management system.
- For network access control, this shop chose Microsoft NAP; here's why
Learn why one security architect chose a software-based approach to NAC. Hint: Cost and standards were factors.
- Employee layoffs pose security risk if systems access not disabled
As layoffs rise, IT departments aren't being vigilant enough in disabling systems access and risk the ire of terminated employees.
| How can I ensure cloud computing security?
Table of Contents
Companies looking to use cloud computing infrastructure for data backup and storage need to factor in the compliance requirements before contracts are signed.
In some cases, the cloud provider will be able to satisfy compliance requirements -- but often at a price, according to two market experts. Even before price negotiations begin, CIOs must understand that data backup and storage in the cloud does not remove a company's responsibility for the legal, regulatory and audit obligations attached to that information.
CIOs should be ready with a list of compliance questions for cloud vendors. But don't expect their answers to suffice. Indeed, Gartner recently published a report stating that security, privacy and compliance will prevent adoption of cloud computing in regulated industries and global companies through 2012.
Get more information in "Addressing compliance requirements in cloud computing contracts." Also:
- Cloud computing providers debate compliance, security and transparency
Enterprises seeking to enter the cloud and remain both secure and compliant within regulatory guidelines were the subject of a panel at the RSA Conference.
| What do I need to know about compliance
Table of Contents
As states look forward to the federal stimulus funds from the American Recovery and Reinvestment Act of 2009, the National Association of State Chief Information Officers (NASCIO) recently warned CIOs and chief security officers to pay close heed to security standards and their security programs. The infusion of funds will likely come with a call for stricter controls. At the same time, the pressure on states to put this bolus of money into action will almost certainly create security risks, NASCIO said.
"The infusion of federal dollars coming as a consequence of the American Recovery and Reinvestment Act puts significant new pressures on state IT programs to support recovery programs and services. It also increases the likelihood that the federal government will impose stricter security controls as part of broader concerns about transparency and accountability in the use of recovery monies," said Colorado CIO Mike Locatis, co-chair for the NASCIO Security and Privacy Committee, in a statement. "This heightens the need for states to understand existing and new IT security standards to ensure that their programs employ and integrate these as necessary."
Learn more in "Security standards to help manage compliance for those federal funds." Also:
- Strategic risk management includes risk-based approach to compliance
Using a risk-based approach to address regulatory mandates is all the rage in compliance circles, but it's not for beginners. Here's how it works.
- Locking down security in the move to electronic medical records
An IT pro shares security and project success tips gleaned from his two-year odyssey to move a group medical practice to electronic health records.
- SEC commish, FINRA head: Reform financial services regulations
A climate for change has led Luis Aguilar, a Securities and Exchange Commission commissioner, and Rick Ketchum, head of the Financial Industry Regulatory Authority Inc., to call for the reform of financial services regulations.
- Financial crimes resulting in increased compliance enforcement
Financial crimes are on the rise, according to the current and former U.S. deputy attorneys general, who say the public should expect to see aggressive enforcement of the laws.
- Avoiding gotchas of security tools and global data privacy laws
Building a global privacy program is no picnic because of the plethora of laws. IT security tools can help -- or hurt, if implemented without knowledge of the law.
- Log management tool, SIM boxes combine to form security architecture
A new CISO builds an information security architecture to analyze log files and create metrics for business discussions on compliance and security.
| More resources
Table of Contents
Dig Deeper on Enterprise risk management