Enterprise risk management is the process of planning, leading and controlling the activities of an organization in order to minimize the effects of risk on an organization's capital and earnings. In recent years, external factors have fueled a heightened interest by organizations in enterprise risk management. Industry and government regulatory bodies, as well as investors, have begun to scrutinize companies' risk management policies and procedures for compliance. In an increasing number of industries, boards of directors are required to review and report on the adequacy of risk management processes in their organizations.

In this package, learn how organizations and their CIOs can practice enterprise risk management holistically, including implementing the proper risk management methodology, data protection solutions, network access control, cloud computing security and compliance risk management. You will find news, trends, case studies and other resources aimed at providing enterprise risk management solutions to help you make informed decisions in all facets of your organization.

This guide is part of SearchCIO.com's CIO Briefing series, which is designed to give IT leaders strategic guidance and advice that addresses the management and decision-making aspects of timely topics. For a complete list of topics covered to date, visit the CIO Briefing section.

Table of contents

• How can I get started with a risk management methodology?
• What data protection solutions can I employ?
• How can I practice network access control?
• How can I ensure cloud computing security?
• What do I need to know about compliance risk management?
• More resources

According to the Balanced Scorecard framework, in addition to marketing or sales budgets and overall revenue and profits, enterprises should measure intangible assets such as customer relationships, excellence in process operations, employee skills, data and information systems and even the corporate culture.

"If you can't measure, you can't manage and you can't improve upon your corporate success," explained Balanced Scorecard co-developer Robert Kaplan during a presentation at the recent Gartner Business Intelligence Summit in National Harbor, Md.

And today, organizations need to include risk management among the key performance indicators that they measure.

"Financial performance is a lag indicator," Kaplan said. "Now we're seeing the consequences of not making risk management a strategic part of strategy," such as the riskiness of corporate investments that have resulted in huge losses to financial services firms.

Learn more in "Balanced Scorecard founder: In recession, think risk management." Also:

• Risk assessment frameworks easy to employ
  You can't protect what you don't know you have. Employing a risk assessment framework should be a priority for midmarket organizations.
• Unearthing the potential paybacks of enterprise risk management
  In this tip, we delve into the guts of enterprise risk management, discuss challenges and potential paybacks and provide some best practices for making it work.
• Gartner: Future IT security jobs to focus on risk management strategy
  Gartner predicts that by 2016, maturing technologies will supplant many security experts. The jobs that survive will be all about risk management.

Enterprise data protection requires a holistic program that encompasses people, process and technology. Too often, the emphasis is placed on technology when all employees in a company must play their parts, such as following good password guidelines, for the program to be effective. The following are some examples of best practices for adhering to a data protection policy:

Implement a data classification program that focuses on customer, financial and intellectual property information with designated owners of the information. Data protection categories should include confidential, internal use and public, and it's important to put the appropriate controls in place to protect this information. For example, public data should be reviewed to ensure that sensitive information such as future product plans are not released outside the company.

Find out more in "Seven tips to improving enterprise data protection." Also:

• Database security: Who should have access?
  The only users who should be allowed full access to any data store should be your system administrators. What about everybody else?
• Data protection trumps threat pursuit in SMBs' 2009 security spending
  Security strategy is growing up fast at small and medium-sized businesses, says a new report from Forrester Research Inc. Smaller firms will spend more as they approach computer security more like the enterprise.

Forrester Research, predicting a blockbuster year for network access control (NAC), says this watchdog technology is fast becoming "a critical component in making many security initiatives efficient and a seamless part of the network infrastructure." Nearly 25% of all enterprises have already adopted NAC and an additional 15% will do so by the end of 2009, according to the Cambridge, Mass-based firm.

Meantime, Gartner Inc. in Stamford, Conn., has spent the past three years encouraging enterprises to look at NAC as an important piece of network hygiene, said research director Lawrence Orans. "This is such a valuable defense that you can add to your network. Our advice is start doing NAC now," he said.

Learn more in "Network access control evaluation tips: NAC systems insights for CIOs." Also:

• CIO turns to identity and access management to solve business problem
  Growth and turnover made user provisioning a huge task for business owners and IT at one organization, before a major effort to classify users and deploy an identity and access management system.
• For network access control, this shop chose Microsoft NAP; here's why
  Learn why one security architect chose a software-based approach to NAC. Hint: Cost and standards were factors.
• Employee layoffs pose security risk if systems access not disabled
  As layoffs rise, IT departments aren't being vigilant enough in disabling systems access and risk the ire of terminated employees.

Companies looking to use cloud computing infrastructure for data backup and storage need to factor in the compliance requirements before contracts are signed.

In some cases, the cloud provider will be able to satisfy compliance requirements -- but often at a price, according to two market experts. Even before price negotiations begin, CIOs must understand that data backup and storage in the cloud does not remove a company's responsibility for the legal, regulatory and audit obligations attached to that information.

CIOs should be ready with a list of compliance questions for cloud vendors. But don't expect their answers to suffice. Indeed, Gartner recently published a report stating that security, privacy and compliance will prevent adoption of cloud computing in regulated industries and global companies through 2012.

Get more information in "Addressing compliance requirements in cloud computing contracts." Also:

• Cloud computing providers debate compliance, security and transparency
  Enterprises seeking to enter the cloud and remain both secure and compliant within regulatory guidelines were the subject of a panel at the RSA Conference.

As states look forward to the federal stimulus funds from the American Recovery and Reinvestment Act of 2009, the National Association of State Chief Information Officers (NASCIO) recently warned CIOs and chief security officers to pay close heed to security standards and their security programs. The infusion of funds will likely come with a call for stricter controls. At the same time, the pressure on states to put this bolus of money into action will almost certainly create security risks, NASCIO said.

"The infusion of federal dollars coming as a consequence of the American Recovery and Reinvestment Act puts significant new pressures on state IT programs to support recovery programs and services. It also increases the likelihood that the federal government will impose stricter security controls as part of broader concerns about transparency and accountability in the use of recovery monies," said Colorado CIO Mike Locatis, co-chair for the NASCIO Security and Privacy Committee, in a statement. "This heightens the need for states to understand existing and new IT security standards to ensure that their programs employ and integrate these as necessary."

Learn more in "Security standards to help manage compliance for those federal funds." Also:

• Strategic risk management includes risk-based approach to compliance
  Using a risk-based approach to address regulatory mandates is all the rage in compliance circles, but it's not for beginners. Here's how it works.
• Locking down security in the move to electronic medical records
  An IT pro shares security and project success tips gleaned from his two-year odyssey to move a group medical practice to electronic health records.
• SEC commish, FINRA head: Reform financial services regulations
  A climate for change has led Luis Aguilar, a Securities and Exchange Commission commissioner, and Rick Ketchum, head of the Financial Industry Regulatory Authority Inc., to call for the reform of financial services regulations.
• Financial crimes resulting in increased compliance enforcement
  Financial crimes are on the rise, according to the current and former U.S. deputy attorneys general, who say the public should expect to see aggressive enforcement of the laws.
• Avoiding gotchas of security tools and global data privacy laws
  Building a global privacy program is no picnic because of the plethora of laws. IT security tools can help -- or hurt, if implemented without knowledge of the law.
• Log management tool, SIM boxes combine to form security architecture
  A new CISO builds an information security architecture to analyze log files and create metrics for business discussions on compliance and security.

• Resource center: Risk management (SearchCIO.com)
• Resource center: Data privacy (SearchCIO.com)
• Resource center: Compliance (SearchCIO.com)

02 Jul 2009