• E-mail this page
• |  Print this page
• | 
• | 
• | 

Xerox's Path To Managing Information Risk

How do you manage information risk with 57,000 employees worldwide working in various business organizations supported by numerous third-party service suppliers?

How can compliance add business value, and not just be a "necessary evil"?

How can compliance assessment processes be streamlined to meet the ever-growing requirements?

As the director of information security and risk management for a $17 billion company, these were just a few of the many questions that plagued me before we started automating our Information Security Risk Assessment (ISRA) processes. Here's why it's a great idea -- and some lessons we learned along the way.

Our new ISRA Compliance Tool integrates the results of Web-based checklists, vulnerability scans, and compliance scans performed against applications, databases, and servers. The result is a risk score that quantifies the risk status of the environment. The tool has transitioned us from a self-assessed subjective assessment (Excel Workbooks) to an objective-based assessment. The tool includes:
• Weighted questions and risk scores that account for criticality of applications
• Approval process comprehended in the tool's workflow
• Extensive knowledge base for mitigating controls and remediation alternatives
• Inspected and verified by Xerox IT Security

We're already seeing the benefits associated with productivity, accuracy, and complete assessments, and an enterprise view of risk. But, honestly, it hasn't been without a lot of pain.

One of the first challenges we faced was convincing the corporation to invest in this change. We used our Lean Six Sigma processes and tools to identify and quantify the opportunities -- process simplification, increased data accuracy, and a fact-based approach for prioritizing remediation.

And, of course, we experienced the typical issues with developing and deploying a new application/tool. Things like scope creep, needing better requirements, more rigorous user acceptance testing, etc. But those issues were fairly easy to identify and take measures to correct compared with the softer issues, which focus more on people and processes.

Here are some of the key lessons learned that we took away from this experience:

Change: Don't underestimate the effort it takes to convince someone to change -- even if that change will benefit them. It took less time to develop the solution than it did to get people to adopt and embrace it. This was a global implementation, so that only added to the complexity. We actually had to announce a date that the old spreadsheet process would no longer be accepted in order to force people to use the new tool and process. We even gave them a reprieve on their compliance obligations during the transition in order to help them embrace the new system and process.

Accountability: We are very pleased with the business' acceptance for accountability of the remediation activities and residual risk. This project was a partnership with our business, not just an IT-driven mandate. I believe this was a result of two key activities: 1) we implemented new job functions for our Information Security Coordinators (ISeCs) that focus them on understanding the technical issues and then translating them into business terms -- this allows the business to have the information it needs to make intelligent business decisions; and 2) we require the business owner to "sign off" on the risk. It's amazing to see how people's awareness and concern are raised when they are required to formally sign something.

Metrics: We had to revamp all of our compliance metrics due to the automation and process changes. This took time and they needed to be easily understood and actionable by senior management. This definitely isn't as easy as it sounds. Try to classify risk in a simple red, yellow, or green rating. That is a very difficult thing to do, especially when everyone thinks they have to be "green" to be OK.

Process vs. results: We still have a ways to go to get people to understand that information security isn't just completing the ISRA process with a beginning and an end, but instead a continuous cycle of monitoring, assessment, and remediation that is striving for well-controlled environments that maintain business-acceptable levels of residual risk. We are still looking forward to the day when people want to go through the ISRA process because they see the business value in doing it, instead of because they have to just to comply with the organization's policies.

I would be very interested to hear your story and, of course, I have more questions: How is information security compliance handled in your organization? How successful have you been in helping your organization understand the business value of compliance? What have been some of your challenges and your "great ideas" in this space?

Audrey Pantas is Chief Information Risk Officer at Xerox. Comment below on Xerox's Information Security Risk Assessment processes.

« How CIOs Stay Strategic | Main | When Test Release Went Viral, Ogilvy Knew It Had A Hit With Web Transporter 1.0 »