QCERT Unveils Risk Management FrameworkStrong Governance Structure Needed to Support Strategy
Qatar CERT, under the Ministry of ICT, has rolled out an information risk management framework for enterprises as part of its national cybersecurity plan, which will be implemented with immediate effect. The objective is to help organizations identify information assets, map business risks and enhance the organization's tolerance for risks.
Security leaders believe the framework's effectiveness will depend upon the strong governance structure it can provide to establish ownership and control of the program within the enterprise and create a risk-free environment.
"The objective is to provide a platform to enable state agencies and organizations to identify, prioritize and manage information security risks and comply with the requirements of Qatar's National Information Assurance policy," says Zouheir Abdallah, Senior risk specialist at QCERT.
"There is a need for CISOs to provide assurance to the management that critical information security risks are managed appropriately and let the staff understand the implications of risk exposures - for which a risk management framework is very essential," says Abdallah.
Since the framework has been developed under the cybersecurity program within the ministry of transport and communication, as a ready to use tool for enterprises, any organization can approach QCERT to access the framework.
"We are encouraging all organizations across sectors to leverage our framework and if they do not have resources to build one," says Abdallah.
The Need for a Framework
Qatar security experts say their top challenge is a lack of a systematic approach for managing risks within an organization, which results in an inability to identify the likelihood of a threat source.
"The typical risk management challenges within the enterprise lie in the approach taken to address them," says Ahmed Qurram Baig, founder of CISO Council of UAE. "Most information security risk teams work in isolation and have no direct interface with Enterprise Risk Management teams or executive management; hence, there's a huge gap in assessing risks."
Even in the absence of ERM teams, executive management is rarely involved in identifying business risks to information assets, leading to investing in programs or solutions that do not effectively help the business, Baig says.
"A uniform risk framework is essential to enable security teams to develop better business resilience and compliance and managing outsourcing of third party risks," says Samir Pawaskar, head of Cybersecurity Policy and Standards, QCERT.
Ingredients of the Framework
Abdallah says the risk management framework has been customized for Qatar's needs, taking its ICT legal landscape into consideration.
"We have aligned the framework with international standards for Information Security Risk Management ISO/EC 27005:2011,"Abdallah says.
The ISRMF tool and templates were developed through an established process and reviewed by multiple stakeholders from across sectors within and outside the ministry. It incorporates five processes, including risk identification, risk assessment, risk treatment, risk communication and risk monitoring.
Pawaskar says the objective is to create a robust information security risk governance structure where the program head will define the scope and boundary, policy and procedure, steer the governance committee and define roles and responsibilities of the risk management team.
Baig maintains that Qatar's risk framework should be a good start to streamline and highlight the need for risk management in enterprises and create awareness among entities for prioritizing projects and addressing business risks.
"The extensive set of documents and templates should help facilitate risk management across entities with uniformity and eliminate any ambiguity," Baig says.
He cautions that the risk management mindset will evolve over a period of time and become a culture within the organizations only if supported by the executive management and governing bodies.
Abdallah says the framework and templates are developed in a manner easily consumed by boards of directors even prior to deploying the same as they would be in a position to gauge risks.
Executing the Framework
To begin with, the framework will enable state agencies and enterprises to conduct information security risk assessment periodically, as it complies with Qatar's information assurance policy, information classification policy, critical information infrastructure protection law, data privacy and cybercrime law.
Abdallah says because the framework is aligned with the enterprise risk management framework and ISO 31000 standard also, CISOs are provided with these templates to gain greater visibility to IS risk/opportunities; identify critical information assets; reduce frequency and magnitude of IS incidents; make more informed decision;, drive business continuity planning and demonstrate good corporate governance.
"The framework will help CISOs manage current and emerging threats and risks, which can be accomplished via several channels, but mainly through obtaining input/guidance from diverse sources, including intelligence agencies (for example, QCERT, Qatar national risk / threat Indicators, Qatar government SoC, etc," Pawaskar says.
Baig says CISOs will have a big advantage with these guidance documents and templates and gain support from the management as it's provided by an official body - but there are also a few concerns.
"Entities who have a mature risk management framework already in place could find this challenging, unless these templates and guidance become minimum requirements allowing organizations to enhance it based on their business needs and maturity," he argues.
Baig suggests it is critical that the framework is interfaced with other standards by various industry bodies especially regarding risk classification and risk rating.
According to CERT, the framework can be used by any organization (internationally), after customizing it to their legal landscape.
Baig believes that the risk management leader requires various competencies.
"He must have good business understanding and be aware of a 360 degree relevant business risk," he says. "He/she will also require analytical and negotiation, leadership and good communications skills."