Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Enterprise risk management solutions for CIOs

Enterprise risk management programs buffer organizations from risky business practices. In this guide, learn how to employ enterprise risk management solutions in an organization.

Enterprise risk management is the process of planning, leading and controlling the activities of an organization in order to minimize the effects of risk on an organization's capital and earnings. In recent years, external factors have fueled a heightened interest by organizations in enterprise risk management. Industry and government regulatory bodies, as well as investors, have begun to scrutinize companies' risk management policies and procedures for compliance. In an increasing number of industries, boards of directors are required to review and report on the adequacy of risk management processes in their organizations.

In this package, learn how organizations and their CIOs can practice enterprise risk management holistically, including implementing the proper risk management methodology, data protection solutions, network access control, cloud computing security and compliance risk management. You will find news, trends, case studies and other resources aimed at providing enterprise risk management solutions to help you make informed decisions in all facets of your organization.

This guide is part of SearchCIO.com's CIO Briefing series, which is designed to give IT leaders strategic guidance and advice that addresses the management and decision-making aspects of timely topics. For a complete list of topics covered to date, visit the CIO Briefing section.

Table of contents

  How can I get started with risk management?
  Table of Contents

According to the Balanced Scorecard framework, in addition to marketing or sales budgets and overall revenue and profits, enterprises should measure intangible assets such as customer relationships, excellence in process operations, employee skills, data and information systems and even the corporate culture.

"If you can't measure, you can't manage and you can't improve upon your corporate success," explained Balanced Scorecard co-developer Robert Kaplan during a presentation at the recent Gartner Business Intelligence Summit in National Harbor, Md.

And today, organizations need to include risk management among the key performance indicators that they measure.

"Financial performance is a lag indicator," Kaplan said. "Now we're seeing the consequences of not making risk management a strategic part of strategy," such as the riskiness of corporate investments that have resulted in huge losses to financial services firms.

Learn more in "Balanced Scorecard founder: In recession, think risk management." Also:

  What data protection solutions can I employ?
  Table of Contents

Enterprise data protection requires a holistic program that encompasses people, process and technology. Too often, the emphasis is placed on technology when all employees in a company must play their parts, such as following good password guidelines, for the program to be effective. The following are some examples of best practices for adhering to a data protection policy:

Implement a data classification program that focuses on customer, financial and intellectual property information with designated owners of the information. Data protection categories should include confidential, internal use and public, and it's important to put the appropriate controls in place to protect this information. For example, public data should be reviewed to ensure that sensitive information such as future product plans are not released outside the company.

Find out more in "Seven tips to improving enterprise data protection." Also:

  How can I practice network access control?
  Table of Contents

Forrester Research, predicting a blockbuster year for network access control (NAC), says this watchdog technology is fast becoming "a critical component in making many security initiatives efficient and a seamless part of the network infrastructure." Nearly 25% of all enterprises have already adopted NAC and an additional 15% will do so by the end of 2009, according to the Cambridge, Mass-based firm.

Meantime, Gartner Inc. in Stamford, Conn., has spent the past three years encouraging enterprises to look at NAC as an important piece of network hygiene, said research director Lawrence Orans. "This is such a valuable defense that you can add to your network. Our advice is start doing NAC now," he said.

Learn more in "Network access control evaluation tips: NAC systems insights for CIOs." Also:

  How can I ensure cloud computing security?
  Table of Contents

Companies looking to use cloud computing infrastructure for data backup and storage need to factor in the compliance requirements before contracts are signed.

In some cases, the cloud provider will be able to satisfy compliance requirements -- but often at a price, according to two market experts. Even before price negotiations begin, CIOs must understand that data backup and storage in the cloud does not remove a company's responsibility for the legal, regulatory and audit obligations attached to that information.

CIOs should be ready with a list of compliance questions for cloud vendors. But don't expect their answers to suffice. Indeed, Gartner recently published a report stating that security, privacy and compliance will prevent adoption of cloud computing in regulated industries and global companies through 2012.

Get more information in "Addressing compliance requirements in cloud computing contracts." Also:

  What do I need to know about compliance
  Table of Contents

As states look forward to the federal stimulus funds from the American Recovery and Reinvestment Act of 2009, the National Association of State Chief Information Officers (NASCIO) recently warned CIOs and chief security officers to pay close heed to security standards and their security programs. The infusion of funds will likely come with a call for stricter controls. At the same time, the pressure on states to put this bolus of money into action will almost certainly create security risks, NASCIO said.

"The infusion of federal dollars coming as a consequence of the American Recovery and Reinvestment Act puts significant new pressures on state IT programs to support recovery programs and services. It also increases the likelihood that the federal government will impose stricter security controls as part of broader concerns about transparency and accountability in the use of recovery monies," said Colorado CIO Mike Locatis, co-chair for the NASCIO Security and Privacy Committee, in a statement. "This heightens the need for states to understand existing and new IT security standards to ensure that their programs employ and integrate these as necessary."

Learn more in "Security standards to help manage compliance for those federal funds." Also:

  More resources
  Table of Contents

Dig Deeper on Risk and compliance strategies and best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.