Plan Operational Risk Management Procedures Correctly to Mitigate Risk from IT Systems
The “big data” “surveillance” brouhaha of June, 2013 illustrates an emerging problem with operational risk management procedures, and, specifically, IT audit and risk assessment. Mr. Snowden’s possession of a top secret security clearance is at the heart of the brouhaha. If Snowden had not possessed this level of security clearance, the argument goes, June would have come and gone smoothly. IT Audit and Risk Assessment procedures were faulty and provided the basis for this event to unfold.
We like this argument. We think it’s safe to say the security clearance review procedure failed to identify Mr. Snowden as a high risk candidate for approval. We hope this problem hits home with enterprise decision-makers wrestling with a need to get better performance from these reviews. If topics of inquiry, and the questions crafted to get useful answers from candidates are not framed correctly, then the results of even a thorough evaluation of candidates for clearance will likely be useless.
Perhaps it would be more useful if enterprise organizations in need of IT audit and risk assessment procedures conducted an internal threat assessment prior to formulating their procedures. This assessment would identify not only areas of dangerous exposure, but, as well, the specific business procedures (as well as the policies behind them) producing them. Once the specific procedures are identified, then the task of managing the exposures can be customized to fit the unique enterprise under examination. Our point is as follows: Highly differentiated enterprise organizations cannot afford to simply implement a “standard” risk assessment process for IT systems.
Our interest in this topic results from how the surveillance controversy has been publicized. Prominent writers have called into question some of the key components of security safeguards for enterprise IT computing (within the public sector). A favorite topic has been whether Mr. Snowden, as a contractor, should have been granted the privileges he enjoyed. Shouldn’t he have been an employee? And, further, as an employee wouldn’t he have been far less likely to veer off course?
We don’t think it really matters whether he was an employee of the NSA or a contractor. The real problem is the screening method, meaning the IT Risk Assessment procedures driving the credentialing effort for top security clearances. The method needs a substantial makeover.
© IMB Enterprises, Inc. & Ira Michael Blonder, 2013 All Rights Reserved