Today, it's become difficult to protect financial organisations from risks. It harms the organisation in different ways like damaging assets, information or data. It can be in any organisation whether it relates to Business, Finance, or IT. Therefore to handle risk companies use Information Risk management. It is the process of managing risks and protecting organisations. There are many issues like information classification where different categories of information are needed to protect using different terminologies. The information risk management adopt international standards according to business context. It has management principles to securely manage organisational assets.
Information plays vital role for organisations to get success. To protect information companies have Information risk management. It is a powerful source to tackle with the risks found in the organisations. The Risk management define strategies to locate the risks and threats in the organisations and also provide solution to reduce the affect of risks. An effective risk management process is an important component of a successful IT security program. The principal goal of an organization's risk management process should be to protect the organization and its ability to perform their mission. (Stoneburner et.al, 2002) The information risk management process considers the goal and objective of the organisation to manage and remove risk from the company. The risk management processes has certain predefined steps to follow and to manage risks in business. These steps include identification, analysis, evaluation, treatment, monitor and review techniques. These steps are reviewed and monitored to check whether processes are going in right direction or not.
Risk Management Process (Exton, 2010)
Another way of protecting information is Information classification - by using this process organisations classify there information into categories having different security levels.
In a finance companies like Bank, Insurance companies, Loan companies, etc risk management processes are required to provide secure environment and confidential information. It's dificult for any bank to convey information they have regarding their customers or stakeholders. The financial risks are also very high in the banks. They need financial strategic plan to protect transactions. Therefore they use risk management strategies to prevent the informaiton they have form hacking and to secure other information assets.
Identify and critically assess the importance of the information classification process and other related issues.
Information is an important asset of every organisation. The each phase of organisation needs information. Every department has some specific information to protect. Therefore for security reasons the classification of information is important. Organisations usually classified there information into different categories like Secret, Confidential, Restricted, Unrestricted, and Sensitive. The increasing need for companies to protect their customer and financial information is obvious. (Fowlar, 2003) The classification of information in financial companies is become important because now a day's banking sectors are using IT technology. They transfer money online which is quite risky because of hacking, phishing, sniffing, etc techniques used by Hackers. An important aspect of protecting critical electronic information knowing what information needs to be protected, what doesn't, and who are the authorized recipients. Countless organizations stamp "Confidential" at the bottom of their documents. It say's everyone inside the organization can access it, but nobody outside. (Landwehr, 2007) This classification method will help to identify important information of the organisation which helps to protect it.
Another most important and difficult portion of information classification defines very strict classification rules to ensure that there isn't any overlapping between different information entities. If the information overlaps then it leads for redundancy of data and function in IT enterprise. (Nattygur, 2005)
Issues Related To Information Classification:
While performing these tasks there are many problems that a bank faced to reduce risks.
The first issues that arise are categorising information into different categories like public and confidential.
To divide information, review of whole information is necessary. Therefore a responsible person is required. Some time companies higher Information Security Consultants from outside the organisation which may work for more than one organisation. Therefore it is a risk to the confidentiality of the information security.
Risk in the classification of information depends upon risk factors of information used by banks. The information which is more prone to threats is categorised with higher level of security and other in lower level according to low risk. The information classification issue is dependent on context and content of the information. Example: if john smith has $100 in his account then it is not sensitive but if he has $100,000 in his account then information becomes extremely sensitive.(Bayuk, 2009)
It becomes difficult for some organisaitons to create flow chart to depict the nature of classification because of complexity in use of information.
Critically analyse the information Classification schemes and information classification management process.
Information classification scheme is a process of classifying information for public and private sector. The effective information classification scheme can be setup by defining organisations goal, which say's what you want to do with classified data. The classification scheme of information is developed to categories information into different categories. The main prospective of classification is to provide security to information used in organisations. In financial organisations like bank, the information used is known as bank information. (Rao et.al, 2007) In Banks, they need to take financial decisions those are required to be confident. Therefore to protect this information bank store it according to different modes of security. In banks the financial information is classified as account amounts, saving, deposit and loan values, ratios, call reports, and financial statements. (Rao et.al, 2007) The classification of information in this context helps to provide protection to customers. Generally organisaitons classify information in following categories:
Secret- The Secret information is accessible only to higher authorities.
Confidential- The Confidential information is customer's personal info saved by organisations. Sensitive- The sensitive category includes data which can be easily damaged.
Restricted- The restricted type has restriction to access information without privileges.
Whereas it can be classified as Colour coding Scheme, Classes, Nation-wise. Information classification schemes used in banks filter information and define it according to Classes. These classes have labels of security to access and use information in different fields. The motive of financial organisations to use classification scheme is apparently to secure the information form copying or to protect it from being damage by intruders. In other way classification of information is making it Confidential. If it is written at the bottom of the document that means the information is highly sensitive. If the sensitivity is high that means the level of information security is higher.
Information classification management process:
The Information classification for financial organisations is required to manage under continues process. The commercial banks need information under different classes. Most banks use e-banking for the transactions of information and money. This process requires more security to protect information from hackers. The banks classify information and prioritise into different categories according the security requirements. For each system that enters, processes, stores, or transfers data that the bank has classified as "highly confidential", controls should be in places that are commensurate with the information they protect. The information classification process will assist bank management in focusing attention on priority areas first and pinpointing key areas of vulnerability.(Bonnette, 2002) For example in Colour Coding scheme management classify information according to its privacy. Management assign different colours which represent how much particular information is secured like; red is more secure, purple is intermediate, and green coloured information can be assessed by any authorised user. Please find steps to classify information in Appendix-I.
Demonstrate the needs for information risk management and the importance of adopting international information risk management standards.
Risk is the probability that a hazard will turn into a disaster. (Fairhurst, 2002) Risk is an unexpected event which causes damage to the organisation. The organisations use Information Risk Management (IRM) to Manage, Identify, Plan and Reduce the risk factor from companies. The basic need of risk management is to protect information assets and the goal of the organisation. The risk management also helps to protect organisation from internal and external threats. The need of IRM is for:
Information risk management easily track and find risk from the organisation.
IRM requires to protect the firm against market, credit, liquidity, operational, and legal risks.(IFRI)
The risk management provide transparency in business strategies.
Every organisation has some vital information to protect that information risk management will help.
It removes the risks in given time spam from the business.
IRM monitor risk throughout the life cycle of running process and tell where risk lie before it create any damage to information assets.
The risk management is used to maximise the resources of organisations.
The IRM protect the reputation of business organisation.
IRM also resolve the issues related to risks
The IRM helps in planning, decision making processes as well.
Importance of adopting international standards of IRM:
The international standards are importantly used in many finance companies to implement security. There are many standards available but mostly ISO/IEC 27001:2007 and BS7799 are commonly used in UK based organisations. The important aspect to use these standards is to improve the quality of the information, and to reduce risk factor. These two standards have defined life cycle which include risk management, risk analysis, risk evaluation, risk assessment, and risk treatment steps to manage risks in the organisations.
If banks have some standard then it increases customer's liability which leads to more investment in bank. It also provide framework to handle issues related with security. The international standards make organisations more aware about risks. In financial companies it increases the investment and helps to grow organisation with great extent.
Demonstrate and critically explore the concepts of information risk management in the business context.
The business organisations deals in finance have many risks related to money, information loss, weak strategic plans, etc. The companies having risks also suffer from delays in outcomes, processes, financial problems, operational work flow. To overcome these difficulties companies make use Information Risk Management which is very beneficial for improving their financial power.
Information risk management is used in every organisation whether Business, IT, or Finance. A string of large and highly public corporate failures over the past 10 to 15 years has focused investors' and regulators' attention worldwide on the way in which company directors and managers are managing risk. Many companies have focused on value creation as a key goal. (ICA, 2002) The need of managing risk is to meet the business goals. Stakeholder, investors and other members of managing committees make sure that best technique must be used. IRM use following steps to manage risk in business:
In the first step Identification of risks in the company's are determined and they ranked according to higher threats.
Selecting the risk management technique to avoid and eliminate risks.
Defining controls to manage risks.
Continuously monitor effectiveness of risk management strategies.
Reviewing techniques and improving business by experiences.(ICA,2002)
The financial director has responsibility of managing and regularly monitoring risks in organisations. IRM helps in defining long term strategies, reduction in programming errors, making and planning of projects, operational outcome of organisations, and financial transactions. The risk has different levels i.e. Strategic, Program, Project, Operational, and Financial. Information risk management handle risk according to its severity in business. The IRM track the risk and then take action according to different terminologies. It mitigate, accepts, transfer, eliminate, and reduce risk according to its possibility of occurrence.
In UK financial organisations use CRAMM (CCTA Risk Analysis Management Method) tool to protect from financial risks in business. (Sans, 2002)
Critically explore the different types of information risk management terminologies used and the types of assets.
Information is the important key of doing things in right format. In organisational way the information is the processed form of data. Companies gather data from different sources, which is called as raw data and then they process this data to derive the required information. To protect this processed information there is a need of risk assessment. The Risk Assessment is an examination of knowing everything is going right or not. And finding whether precautions are needs to revise or not. To procure information assets of organisations the Risk Treatment is necessary. The organisations are using many tactics to control and manage risks. The Risk Management process is used to identifying, analysing, and prioritising risks according to its severity. To protect information there are different types of terminologies available. The terminologies are defined as a set of terms used to manage organisation. These are designed according to organisations work flow. The different terminologies in use today are:
Mitigation: It is a process of improving or reducing new risks occurred in organisations or those might occur to harm financial assets.
Accept: According to this terminology IRM allows bank to enter risks which does not damage to companies assets.
Transfer: It transfer risk to other party handling risks in the banks.
Eliminate: This terminology is used to reduce risks from banks.
Risk owner: The Risk Owner is the person acknowledged by financial organisations as the responsible individual for overseeing the risk. The Risk Owner identifies and assesses risk to produce probability and impact information. He or she should develop risk mitigation and contingency plans and provide status data for respective risk issues.(McNair, 2001)
Residual risk: It is any disclosure arises from risk completion or management terminologies.
Different Types of Assets: The information management is very valuable in context to information protection and for the protection of information assets. The Informational Assets are another important aspect as organisational view. There are different types of assets like tangible assets or intangible assets. In financial markets tangible assets are also known as physical assets. (Brigham, Houston, 2007, page 145).It includes all hardware equipments used in organisations. The intangible assets are Software devices, Information or Data used in company, Policies, Pricing details, Business continuity plans, Training material, Risk analysis, etc. IRM also use different terminologies to handle risks.
Investigate the risk management principles in terms of organisations information security management and develop the information risk management strategy for organisation to effectively handle the issues.
The IRM has important role for financial organisations like banking sector to diminish risk. There are different terminologies used to save company from risk. Every bank using information risk management has some principles or rules to follow. These principles are as follow:
Confidentiality- The banks keep the customer information as very confidential. They provide satisfaction to their customer to keep their information secret. They also do some paper work for the satisfaction of customers.
Integrity- This principle protect information from modification by unauthorised persons.
Availability- The availability means it should be available whenever it requires in the Banks.
Authentication- It ensure that both parties wants to access information has right to access that information.
The Information Risk Management (IRM) provides transparency between Bank and their customers to gain faith of people.
The managing committee of bank set priority of accessing information risks.
IRM minimise credit risk in most of the banks.
IRM deploy Risk avoidance, Risk Transfer, Risk reduction, Risk assumption techniques for banks.
IRM develop many strategies to handle risks in banks these are like:
Risk Avoidance: The risk avoidance is similar to ignoring the anything else. But only those risks can be avoided those are not dangers.
Risk Acceptance: The organisation accept risk when the losses are less but the profit is higher by accepting it. But it does not mean that management do not know about the effectiveness of risk.
Risk Mitigation: It is a process of minimising the probability of occurrence risks.
Risk Transfer: In this the risk is transferred to another group of risk handlers to overcome the load of processing. (Nikonov, 2009)
Risk Retention: This process is used to retain risk at the current position until it recovered.
Risk Abatement: This is used to reduce the risk from the organisation.
Risk Allocation: In this, organisations share risk with other parties if risk become higher.
By using these strategies financial risks can be moderated. While developing strategies for banks the IRM must know about financial behaviour of the bank, what type of risks can be occurred to divide information of Bank into different levels of security. By developing strategies the organisations can reduce risks and improve the financial conditions of banks.
In Conclusion, the information risk management has vital role in organisations. It provides security to classified data by using different techniques. It work according to the principles and terminologies defined. The adaptation of international standards also helps to secure information. The IRM develop risk management strategies accordingly the occurrence of risks in organisations.
I would like to recommend deploying Information Risk Management strategies in financial organisations because the financial information is open to threats and hackers always in deed to hack that information. And most importantly the organisations must use international standards.