Harland Clarke Rechecks Risk Management

New security program adds more systematic processes for evaluating, prioritizing and mitigating risk

Second, Harland Clarke works with Verizon Business (which acquired the company's managed security service provider, Cybertrust, in July 2007) to conduct annual and monthly vulnerability reviews of the entire enterprise, as well as its perimeter. Verizon reviews the controls that Harland Clarke has in place, identifies vulnerabilities, makes recommendations and audits the company's response to those recommendations. For instance, if the security office or executive management team determines that a vulnerability falls within the realm of acceptable risk, Verizon will review that decision and, if it disagrees, will recommend that Harland Clarke revisit the decision. "Risk isn't finite; it isn't a â¬Üyes' or â¬Üno,'" Petrie says. "It depends on what's acceptable to the business to operate."

Risk Matrix

The results of both the business impact analysis and the vulnerability review are then funneled into the development of an annual risk matrix, which combines 20 risk areas, such as malicious code, asset loss and fraud, that are presented to the executive management team. An overall risk score is assigned to each threat, based on whether it's an internal or external threat; its level of potential damage based on a scale of one to 10; and its probability of materializing. From this matrix, the security office determines what actions to take to mitigate risk, which are then approved by the executive management team.

For example, a zero-day worm might be issued a damage score of 7 or 8, Petrie says, and a probability score (assuming controls are in place) of 2 or 3. The risk factor would be determined by multiplying those two numbers and assigning other values, such as what it would cost to shut down the network, and segregate and apply a fix if the worm did penetrate.

"The risk matrix is a tool to help you assign a quantitative number to which you can then decide whether to assign resources and assets to mitigate risk," Petrie says. But because there's only so much capital you can spend, it's up to the executive management team to make the final decision on acceptable risk.

In the end, Petrie says, the company has been able to create an information security program that incorporates repeatable, measurable processes that can be audited and are linked into risk management and the business decision-making process. "Now, security is similar to any other line of business," Petrie says.

In fact, when the different areas of the business develop their annual key performance indicators, security is no different. "We're required to create KPIs and metrics that support those KPIs," Petrie says. Right now, there are eight KPIs associated with security, supported by 30 metrics that are regularly monitored to ensure the goals are being met. "If we don't meet the metrics within information security, that has an impact on our business goals," Petrie says.