Next week, I am scheduled for a semi-annual risk assessment with my dentist. He performs a very specific, highly focused type of risk assessment that is totally worth the $125 it will cost. In addition to performing specialized maintenance (hypersonic cleaning), he will provide a threat assessment (for oral cancer, cavities, periodontal disease and other anomalies). I’ll leave his office confident that my mouth is in a low-risk situation for the next six months as long as I continue to follow best practices and perform daily maintenance procedures. I am only vulnerable to these threats if I fail to follow a daily program of brushing and flossing.
I could always choose to save the small fee for these risk assessments and wait for a major dental disaster to occur. The problem with this approach is that a single incident may cost thousands of dollars if I need a root canal or some other type of procedure. Ten years of checkups are less costly than even a single disaster.
Enterprise IT risk assessments
Unfortunately, in the world of local government and SMBs, the most common approach to risk management is to allow a major catastrophe to occur before realizing the value of an enterprise risk management program.
I am at a loss to explain it. Incidents or problems involving your information and IT infrastructure are far more costly than risk management programs. Data loss, breaches, major downtime, malware, lawsuits and fines for compliance violations may cost hundreds of thousands or millions of dollars. They can permanently shut down your small business or really irritate your board of directors in a corporate environment. In the public sector, constituents pay for major screw-ups through increased taxes while the events are often covered up and the culprits skirt the blame and keep their jobs.
When was your organization’s last risk assessment? Can you put your hands on the report? If you haven’t had a risk assessment recently, it’s a safe bet that your policies are sorely lacking. Defining an organizational policy for risk assessment is an essential component of any comprehensive suite of security policies. Both HIPAA and GLBA require periodic risk assessments, but it is a sound practice for all types and sizes of organizations.
Where to start?
If you haven’t previously conducted an enterprise IT risk assessment you should carefully consider your starting point. For example, if you have few or no security policies, it may be wise to form an IG (information governance) committee and begin by developing of a comprehensive set of policies, procedures, standards and guidelines. On the other hand, your management team may benefit from the kind of wake-up call that a devastatingly thorough risk assessment can produce. A 100-page report that says you suck at security and risk management on every page may be just what you need to get everyone’s attention.
The results of a risk assessment should be used to reduce your organization’s risk exposure, improve CIA (confidentiality, integrity and availability), initiate positive change, and begin building a security culture. While using risk assessments as a punitive device isn’t the best approach, such reports often expose malfeasance and incompetence of proportions so vast that appropriate consequences are in order. In other words, if you have been paying a CIO $200,000 and the assessment uncovers gaping policy, security and privacy holes, you should certainly replace the CIO with one who has the required skill set.
Scope the project carefully
Risk assessments come in a lot of flavors and the specific purpose and scope must be worked out with the auditors in advance. A few years ago, a client of mine released an RFP for a risk assessment after we worked extensively on the development of their information security policies. The proposals ranged from $15,000 to well over $150,000. This can happen even with a pretty clear scope. Big 4 firms, for instance, have hourly rates that may be several times what a local, independent practitioners may charge. NIST SP 800-30 provides valuable information on how to perform risk assessments, including some information on scoping.
Risk assessments may be qualitative or quantitative. You may be able to do some of the quantitative work in-house by gathering cost data for all your assets in advance of the assessment. Regardless of the scope and approach, the auditors will ask to see lots of documentation.
One positive outcome of a risk assessment is that it may force your management team to rethink EVERYTHING – in-house application development, infrastructure support, IT staffing & responsibilities, LOB (line of business) staffing & responsibilities, budgets, and just about everything else related to the manner in which your organization is run.
Risk assessments are way cheaper than disasters, so go schedule your checkup.
© Copyright Jeffrey Morgan, 2017by
What’s your municipal organization’s most valuable asset?
The correct answer is information, but you wouldn’t know it by observing the casual, haphazard manner in which information is managed in many county and municipal operations. Information is often the least valued and least understood asset in local government organizations.
Tangible assets such as buildings and equipment are insured and can be replaced with relative ease. If your data vanishes, you may never be able to replace it. A breach of confidential information can never be made right and your organization’s reputation will be tarnished for years to come. Litigation that results from poor information management can cripple your organization, and the cost of discovery alone often forces organizations to settle.
The core problem
Does your municipal organization have a formal information governance (IG) program?
Most municipal entities don’t have IG programs and consequently lack institutional, enterprisewide understanding of their information assets. The root of the problem is a dearth of leadership in information management that starts with senior executives and elected officials. In many cases, there are departmental managers who do understand their own information universes, but those individuals rarely carry enough clout to influence the decision-making processes at the enterprise level.
“Jeff, hold the phone! We already have a records management program and a CIO. We’re on top of this.”
Information governance isn’t records management, although records management is a subset of IG. Robert Smallwood provides an excellent definition of information governance: “Security, control and optimization of information.”[i] He takes it a step further and writes “Information governance is policy-based control of information to meet all legal, regulatory, risk, and business demands.”[ii] These two statements sound simple, but if you ponder their meanings a bit, they have enormous implications not only for information management in your organization, but for the way in which your entire organization is managed.
The role of the municipal CIO
In my experience, municipal IT operations are often poorly aligned with the business divisions they support and silos are an endemic problem in such organizations. I don’t want to paint with too broad a brush because there are plenty of CIOs who do understand their organizations’ business and information requirements. However, in municipal government, such people are rare.
While the title chief information officer implies a deep understanding of information, many municipal CIOs function more as technology directors and sometimes they more closely resemble purchasing managers or other roles. Since there is no universal definition of a CIO’s role, it is not reasonable to expect that they all come to their job with a clear understanding of information governance. Moreover, municipalities can have several dozen lines of business, each with its own set of complex regulatory requirements, so asking your CIO to be a Master of the Universe may be asking too much.
The solution: What IG can do for your organization
If you don’t have an IG program, I encourage you to start one. I am talking about creating an ecumenical view of your organization’s information assets and aligning that view with your business requirements at every level of your organization. Establishing such a program will allow you to build a superstructure that includes the following:
- Enterprise information management and strategic planning: auditing, risk management, records retention, metadata standardization, storage, FOIA, defensible deletion, eradication of silos and more.
- Enterprise information security (infosec) and cybersecurity: Develop policies, processes and procedures for security that are aligned with your organization’s risks and requirements. Create a culture of security in your organization. Vastly decrease security risks.
- IT service management (ITSM): Improve IT services by aligning them with the organization’s business requirements as determined by the IG committee. IT governance is often treated in county and municipal government as if it is somehow separate, but IT may be more productive if it is treated as a component of an overarching information governance program.
The IG committee
I am not a proponent of management by committee, but in a county or municipal setting with many lines of business, an information governance committee is appropriate not only to oversee information policies and procedures, but to provide guidance and oversight for IT operations as well. The makeup of your municipal IG committee will resemble the following:
- An executive sponsor: Preferably the county executive, city manager or similar role.
- An elected official: A county commissioner, city council member, etc. The primary governing board must be key part of IG team.
- The municipal attorney.
- A human resources official.
- An IT professional.
- A risk management specialist.
- A records management staffer.
- Representatives from other key departments, potentially including law enforcement, corrections, nursing home services, public health, mental health, social services the county recorder, etc.
References and resources
Following are links to some resources for more information about developing an IG program.
ARMA International, a not-for-profit association for professionals specializing in governing information as a strategic asset.
Information Governance Initiative, a forum for information governance professionals.
AIIM, a nonprofit membership organization for information professionals.
Institute for Information Governance, a provider of training in the fields of information governance and electronic records management.
EDRM, a provider of resources related to e-discovery and information governance. Part of the Duke Law Center for Judicial Studies.
“Defining the Differences Between Information Governance, IT Governance and Data Governance,” by Robert Smallwood, Aug. 18, 2014. Retrieved April 17, 2017, from the AIIM website.
Information Governance for Executives, by Robert Smallwood. Bacchus Business Books, 2016.
[i] Smallwood, Robert. Information Governance for Executives, 2016
[ii] Smallwood, Robert. “Defining the Differences Between Information Governance, IT Governance and Data Governance,” 2014
This article first appeared on CIO.com at http://www.cio.com/article/3192530/security/information-governance-for-counties-and-municipalities.html
© Copyright Jeffrey Morgan, 2017by