Saffady - Managing Information Risks: Threats, Vulnerabilities, and Responses

Managing Information Risks

ROWMAN & LITTLEFIELD

Lanham Boulder New York London

Library of Congress Cataloging-in-Publication Data

Names: Saffady, William, 1944 author.

Title: Managing information risks : threats, vulnerabilities, and responses / William Saffady.

Description: Lanham : Rowman & Littlefield, 2020. | Includes bibliographical references and index. | Summary: Written by one of the foremost records and information management leaders in the world, this book provides a clear explanation and analysis of the fundamental principles associated with information risk, which is broadly defined as a combination of threats, vulnerabilities, and consequences related to use of an organizations information assets.Provided by publisher.

Identifiers: LCCN 2020000882 (print) | LCCN 2020000883 (ebook) | ISBN 9781538135488 (cloth) | ISBN 9781538135495 (paperback) | ISBN 9781538135501 (epub)

Subjects: LCSH: Data protection. | Computer security. | RecordsManagement. | Database management. | Risk management.

Classification: LCC HF5548.37 .S24 2020 (print) | LCC HF5548.37 (ebook) | DDC 658.4/038dc23

LC record available at https://lccn.loc.gov/2020000882

LC ebook record available at https://lccn.loc.gov/2020000883

TM The paper used in this publication meets the minimum requirements of American National Standard for Information Sciences Permanence of Paper for Printed Library Materials, ANSI/NISO Z39.48-1992.

Information risk is an important topic at the nexus of risk management and information governance, two disciplines with closely aligned objectives. Risk management is responsible for identifying, analyzing, and controlling threats to an organizations assets. Information governance supports this responsibility by developing effective strategies, policies, and initiatives to identify, assess, and address risks associated with an organizations information assets. The two disciplines have a complementary relationship, and they must work together to fulfill their responsibilities.

This book is intended for risk managers, information governance specialists, compliance officers, attorneys, records managers, data scientists, archivists, librarians, and other decision-makers, managers, and analysts who are involved in or need to be aware of risk management initiatives related to their organizations information assets. The book can also be used as a textbook by colleges and universities that offer courses in risk management, information governance, or related topics at the graduate or advanced undergraduate level. In particular, the book may be useful for a curriculum that combines risk management with records management, knowledge management, information science, health informatics, information system design, data protection, and other information-related subjects.

Google Trends, a website that analyzes the popularity of Google searches, shows a steady level of worldwide search activity over the past five years for the phrase information risk, with most of the searches originating in the United States and United Kingdom. The level of search activity is higher and the range of geographic interest is broader for the terms information and risk searched together in a Boolean expression rather than as a phrase. For the same period, a Google Scholar search for the phrase information risk retrieved approximately 11,500 citations, while a search of the two terms in a Boolean expression retrieved over 1.3 million citations.

Google search results suggest that information risk is strongly associated with information technology in general and cybersecurity in particular, but information risk is not limited to computer data. It encompasses organizational information assets of any type in any format, including paper and photographic records as well as digital content stored on premises or by cloud service providers. Reflecting this broader view, this book discusses risks related to creation, collection, storage, retention, retrieval, disclosure, and ownership of information in organizations of all types and sizes. Chapter 1 provides an introduction to risk terms and concepts that are essential for understanding, assessing, and controlling information risk. Taking a taxonomic approach, the remaining chapters identify and categorize threats and discuss vulnerabilities and risk responses related to the following topics:

• Chapter 2 deals with risks associated with creation and collection of information, including failure to collect information required by laws and regulations; unauthorized collection of personal information; illegal collection of nonpublic information; creation or collection of information with objectionable, defamatory, or private content; and creation or collection of poor-quality information.

• Chapter 3 discusses loss of information due to natural disasters, malicious human actions, accidents, and fire.

• Chapter 4 identifies risks associated with retention and destruction of information, including noncompliance with laws and regulations that require retention, preservation, or destruction of information; retaining information longer than necessary; destroying information that needs to be kept; and media instability and obsolescence problems that affect the usability of information.

• Chapter 5 discusses risks associated with information retrieval and disclosure, including retrieval failures, metadata mining, noncompliance with laws and regulations that mandate information disclosure, failure to prevent unauthorized disclosure of information, prohibitions on cross-border transfer of information, and noncompliance with data breach notification laws.

• Chapter 6 deals with risks associated with ownership of information, including infringement of intellectual property rights, the impact of the work-for-hire doctrine, loss of ownership of trade secrets, and data portability laws and regulations that affect ownership of personal information.

Each chapter begins with a brief overview that summarizes key risks related to the topic at hand, followed by a detailed explanation of each threat, an assessment of vulnerabilities that the threat can exploit, and a review of available options to address the threat and its associated vulnerabilities. Chapters 2 through 6 are self-contained and can be read in any order, but reference is occasionally made to related points that are discussed in other chapters.

Individual chapters include extensive endnotes that cite publications to support specific points and provide suggestions for further reading about risk related topics. Some endnotes also include comments or additional details about matters discussed in the text. Links are provided to the full text of cited publications if they are available via a reliable web site that is likely to be accessible for the foreseeable future. Otherwise, a digital object identifier (DOI) or other persistent identifier is cited for a given publication where available.