Chris Sullivan, Courion's vice president of customer solutions, recently posted a blog entry about risk management. In it he quotes Warren Buffett, the world's richest man and undisputed king of practical risk management who once said, "Risk comes from not knowing what you're doing."
Chris Sullivan, Courion's vice president of customer solutions, recently posted a blog entry about risk management. In it he quotes Warren Buffett, the world's richest man and undisputed king of practical risk management who once said, "Risk comes from not knowing what you're doing."
While that's a bit trite for my taste it is, nevertheless, worth remembering. Just as long as you know that the converse isn't true: knowing what you're doing does not remove the risk. Knowing what you're doing can help mitigate, or alleviate, the risk but it rarely removes all of the risk. Still, it's important enough that we could say the first rule of risk management is: Know what you are doing.
If you know, for example, that you are loading people's names, ID numbers (Social Security, national health, credit card and so on) and other information as clear text to a laptop computer (or, probably worse, to a memory stick) then logically you should realize that the risk of releasing that data into the wild is very great. That would be rule No. 2: Know the risk involved with what you are doing.
Once you are aware of the risk involved you would -- hopefully -- take steps to reduce the risk such as encrypting the data or, even better, not taking it outside of the firewall. There's rule No. 3: Take steps to remove as much risk as possible.
As Sullivan says about the Buffett quote: "How simple is that? You can have all of the risk management frameworks that the big four can sell you but if you don't know who has access to what, you can't assure access, can't manage risk and you can't assert compliance to virtually any regulations. Hell, you don't even know what access to remove when someone leaves your company."
It's not rocket science, and it can be very simple as long as you remember the three rules:
1. Know what you are doing.
2. Know the risk involved.
3. Remove as much risk as possible.
Obviously, there's a lot more to risk management than that but by simply following those three simple rules many, if not most, data breaches and leaks of the past few years could have been avoided.
UPDATE: Last week I mentioned the new functionality of Oracle's ESSO client. Now a little bird tells me that this is little more than a re-branding of Passlogix' v-GO On Demand Edition. So you have a choice.