> Archive > Issue XLV: December 2010 > SOA and Information Risk Management
Clive Gee

Clive Gee


Clive Gee, Ph.D., one of IBM's most experienced SOA governance practitioners, recently retired from his post as an Executive Consultant in the SOA Advanced Technologies group. He has worked in IT for more than 30 years, during the last few of which he led many SOA implementation and governance engagements for major clients all around the world, helping them to cope with the complexities of successfully transitioning to SOA. He now lives in Shetland, United Kingdom, but travels widely and does freelance consulting, especially in the area of SOA governance.


rss  subscribe to this author


SOA and Information Risk Management

Published: December 07, 2010 • SOA Magazine Issue XLV


A company's information assets have become more valuable over time as we continue to evolve into a knowledge-based economy. Protecting these assets has become an industry unto itself. What started as IT security -- keeping the "bad guys" out of our networks -- has become full-blown risk management as the business implications of compromised information assets have been realized.

SOA magnifies risks associated with information assets by exposing those assets more readily to a broad audience. While this is beneficial to business operations, it is cause for greater concern for security and risk management professionals. It is critical that the SOA governance team partners with risk management teams to assess risks that are brought about or intensified by SOA. Organizations new to SOA may have sophisticated risk management policies and practices but often do not fully recognize the implications of SOA. It is therefore necessary that the SOA governance team plays a role in educating and informing those responsible for risk management. Should an organization not have an existing team with risk management responsibilities, the SOA governance team may even be forced to take on those duties itself.

While a full discussion of risk management is beyond the scope of this chapter, we will introduce and explore a number of topics (Figure 1) and concepts that should be considered as part of a holistic information governance strategy.

Figure 1 – Managing risk requires an understanding of
vulnerabilities, threats, probability of risk manifestation,
and the impact should a risk be realized.

Risk is defined as the possibility of an event occurring that will have negative consequences or undesired results. Risk management is the process of identifying, assessing, analyzing, and making decisions regarding how to best deal with risks. To manage risk we must understand:

  • What is vulnerable?
  • What are the threats?
  • What is the probability of a threat manifesting?
  • What is the impact should the threat be realized?

Decisions are ultimately made to avoid, accept, mitigate, or transfer the risk. Risk management practitioners must weigh the potential cost to the company should the risk be realized against the cost of managing the risk and the associated opportunity costs.

Managing information-related risks is a business problem rather than merely an IT problem. It's not just about erecting firewalls, snuffing out viruses, and encrypting confidential data. The focus today is on the risks presented based on the type of information that can be compromised and its value to the business. Therefore, companies these days are taking an information-centric approach to security and risk management.

Vulnerabilities and Threats

The information-related vulnerabilities within and threats to an organization are numerous. SOA increases the vulnerabilities and introduces new potential threats that should be considered. Services unlock information that has long been locked away in closed systems and makes it potentially available throughout the enterprise and into its ecosystem. Without proper safeguards in place, information is at risk of being exposed to unauthorized parties through a lack of proper controls and even criminal activity. The business benefits of readily and broadly sharing information can quickly be undone should the wrong information be compromised.

Part of a risk assessment should include capturing and cataloging the types of information that are vulnerable to attack and the potential threats against them. Once the threats are cataloged they can be assessed and classified according to probability of occurrence and potential impact. This analysis can help you formulate a strategy and provide cost/benefit decision support for managing the risk. Following are some types of information and associated activities that should be considered when assessing information risk vulnerabilities:

  • Intellectual property (IP) -- Intangible creations over which an owner has been granted exclusive rights under intellectual property law. Such intangibles could be artistic or commercial, but for our purposes we are generally interested in commercial intellectual property such as copyrights, trademarks, patents, and trade secrets. Depending on the nature of a company's business, IP can represent a firm's most valuable assets or at least those that significantly influence its competitive position.
  • Regulatory Compliance -- Ensuring that the organization complies with relevant laws and regulations (or managing the penalty imposed if caught against the cost of implementing controls). This is a Herculean task, particularly for a global corporation and requires strong SOA governance to ensure that common services are complying. The number of information-related standards, laws, and regulations internationally is staggering. For example, in the United States, there is the Sarbanes-Oxley Act governing accurate financial reporting and the Health Insurance Portability and Accountability Act (HIPAA) governing, among other things, the security and privacy of personal health data. In the United Kingdom, there is the Data Protection Act 1998 seeking to safeguard personally identifiable information. The Payment Card Industry (PCI) data security global standard is a set of controls designed to ensure the integrity of credit card and other electronic payment transactions. Violating such regulations can result in significant fines, sanctions, and lost business opportunities.
  • Business Relationships -- Information is at the heart of business-to-business and business-to-customer relationships in today's economy. Companies must safeguard customers' personal and financial data. They must securely and cost-effectively exchange information with business partners.

Types of threats to consider include:

  • natural threats - hurricanes, floods, earthquakes, etc.
  • environmental threats - power failures, water damage, pollution, etc.
  • human threats -- industrial espionage, virus infection, denial-of-service attacks, etc.

Managing the Risk

When the probability and impact of a risk is high enough, usually the desire is to avoid or mitigate the risk. Over the past several years, this has given rise to organizational structures, governance frameworks, and best practices aimed at effectively managing information-related risks. In this section, we will take a look at several information risk management concerns, frameworks and processes that can help manage the risk, and organizational entities that define and execute the governance strategy. The governance function must consider how and where to use these capabilities to successfully manage information risk.

Information Risk Management Concerns

The following are several concerns that should be considered or addressed when establishing an information risk management initiative: (The "C.I.A. Triad")

  • Confidentiality - Ensuring that information is accessible only to those authorized to access it.
  • Identification - Identifying a user based on a set of credentials.
  • Authentication - Validation of the identified user's credentials.
  • Authorization - Determining what an authenticated user has permission to access.
  • Non-repudiation - Ensuring the identification of the sender of a message and preventing the sender from denying authorship.
  • Auditing - Tracking, logging, and reporting the activities of users on a system.
  • Integrity - Safeguarding the accuracy and completeness of information and processing methods.
  • Availability - Ensuring that authorized users have access to information and associated assets when required.
  • Physical and Environmental Protection - All information systems are ultimately underpinned by physical hardware and networks that must be secured and otherwise safeguarded against a variety of threats. Considerations include facility intrusion detection and prevention, multi-factor facility access control such as the requirement of an ID badge plus fingerprint scanning, and waterproof hardware encasing.
  • Systems Development and Operations - The most well-publicized threats are realized due to flaws in the development and operations of software-based systems. Hackers, purveyors of malware, and even internal employees (intentionally or unintentionally) can pose the greatest threats to an organization's information assets without coming near its physical installations. Considerations in preventing the misuse of such systems include:
  • Software Quality - Ensure that software developers are well-versed in the quality and security concerns of their development platform and environment, and that a testing program is part of the development process.
  • Software Development Life Cycle - Patching software is a way of life and virtually no deployed software package remains at version 1.0 through decommissioning. It is important that defects are rectified quickly and maintenance patches applied, particularly those that address security concerns. Yet software patches themselves often introduce new defects and must be thoroughly tested before application.

Pay-as-You-Go Resource Use

The following are a number of practices and frameworks that should be considered when addressing information risk management concerns.

Data Security Classification - Classifying data is one of the primary means of establishing the level of risk management rigor to apply. In business, a security classification scheme may consist of the following levels: Public, Sensitive, Confidential, and Private. In the government sector, classifications may include: Unclassified, Classified, Secret, and Top Secret. For example, the medical history of a patient is governed by HIPAA regulations, and the consequences of violating that law can substantially impact a company. Therefore, the company classifies patient medical history data as Private, which requires the greatest level of control and protection. The extent to which data are safeguarded is determined largely on the security classification model. Other forms of data typically classified to require more stringent controls include but are not limited to:

  • Personally Identifiable Information (PII) - such as a U.S. Social Security Number
  • Corporate Affairs Information -such as that related to mergers and acquisitions
  • Financial Instruments - such as a credit card and bank account numbers

One way of ensuring information confidentiality is by encrypting data via cryptography. Encryption is the process of transforming data into a form that is unreadable and unusable, and can only be decrypted by an authorized party who has a cryptographic key. This is particularly an effective form of managing confidentiality risk when access controls can be compromised such as transmission of messages over public networks. Data can be encrypted at rest, in motion, or both depending upon the security classification of the data.

Defining and installing processes for establishing controls via policy and compliance framework, is a necessary part of information risk management. Such a framework includes:

  • Administrative Controls -Definition and maintenance of policies, procedures, standards, and guidelines that govern information risk concerns.
  • Operational Controls - Implementation and enforcement of the administrative controls.
  • Audit Controls - Assurance of compliance with administrative controls and effectiveness of operational controls.
  • Business Continuity and Disaster Recovery - Ensuring the continued operation of a business in the event of power outages, natural disasters, or other such disruptions is the goal of business continuity programs. Disaster recovery is the part of business continuity planning that focuses on reviving and sustaining critical business operations quickly in the face of catastrophic events, such as weather-related disasters or terrorist attacks. Common components of a business continuity plan include data-center redundancy, off-site backups, uninterruptable power supplies, and provisions for setting up a secure virtual office.
  • Security Incident Management - Monitoring and detecting security events can prevent or significantly minimize damage should a threat be realized. This is the goal of a security incident management system. Incidents are raised to a service desk, which quickly assesses the nature of the incident and escalates to appropriate personnel as required. Both manual incidents, such as unauthorized facility access, and automated incidents, such as detection of a computer virus, can be managed through the service desk. A well-defined incident management system is key to systematically dealing with threats as they manifest.
  • Asset Management - All assets should be accounted for, properly protected, and assigned to accountable and responsible parties. This is the goal of asset management. Assets are inventoried and assessed against governance directives and controls to ensure compliance. Non-compliant assets are brought into compliance or replaced as required. Parties that are deemed accountable and responsible for assets must define, document, and communicate the appropriate usage of assets throughout their life cycle.
  • Control Objectives for Information and related Technology (COBIT) -- COBIT is a set of processes, measurements, and practices that aim to assist organizations in establishing information technology-related controls. It covers four domains: plan and organize, acquire and implement, deliver and support, and monitor and evaluate. Adopting a generally accepted framework such as COBIT can help organizations quickly establish measures of control without reinventing the wheel.
  • ISO/IEC 27002:2005 -- ISO 27002 is an information security standard published by the International Organization for Standardization. It provides guidance on 11 main topics including most of those discussed this section.

Organizational Structures

Once we understand the concerns of information risk management and the practices required to address them, we must ensure that the organizational structures needed to execute those practices are in place.

As with most large-scale initiatives, an organization's board of directors and executive management must support and fund the risk management organization. They must ensure that risk management policies and procedures align to overall goals and strategies.

In large organizations it may make sense to establish officer-level roles such as a Chief Risk Officer and Chief Information Security Officer. These positions are responsible for translating business goals and strategies into aligned risk management and security policies and procedures, establishing organizational teams to define and implement them, and champion risk management efforts throughout the firm. They may report to the CEO, CFO, or CIO and otherwise partner with peers to align risk management to other domains.

A steering committee may be appropriate to ensure representation from various lines of business. Members of such a committee can assist in identification of risks and provide valuable input into the assessment and management of risks that may be particular to their domain.

Other key roles include specialists such as risk management professionals, systems auditors, and security architects and engineers. Individuals in these roles help define, implement, and maintain the standards, procedures, and systems required to carry out risk management strategies and policies. A number of professional certifications are respected within this field including the Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), and the Certified Information Security Manager (CISM).

Common functions of the information risk management organization including auditing, administering physical security technologies, creating and maintaining the business continuity plan, responding to and investigating incidents, training and otherwise educating stakeholders, administering user credentials, and administering security systems and networks.

One final organizational concern that SOA governance must address is to ensure risks are managed as employees and contractors enter, transfer within, and exit the organization. Personnel are usually granted rights on a "need-to-know" basis. They must be fully informed of security policies and procedures including their responsibilities and compliance obligations, including the consequences of non-compliance. Confidentiality and non-disclosure agreements are often appropriate. As employees change roles or their relationship with the firm is severed, information access control privileges must be re-evaluated and appropriate action taken.