After joining the company in 2007, Satyam Das, the associate vice president of risk management, realized that the existing risk assessment method did not provide long-term value. "The manual-only risk management processes were proving to be un-maintainable. Risk assessments were more like form-filling exercises that the business used to abhor and the IT team didn't understand too well."
Around the same time, AXA declared a strategic group-wide initiative encouraging all geographical entities to adopt an automated and a more objective approach to risk assessment. This automated information risk management (IRM) application, which automated the entire process from risk identification to remediation, was developed by a sister concern, AXA Group Solutions, which offers IT-related services to the AXA Group.
The IRM application works on a methodology known as Fundamental Information Risk Management (FIRM). "It helps to enhance the view of information risks from the narrower view which prevails among IT staff to one that is more broad-based and cohesive to include business leaders, top management and auditors," informs Das. FIRM includes a measurement flow, plus an action flow for communicating where improvement is required. This information is drawn together and presented to top management so as to enable them to understand the security condition of the enterprise and decide what action is needed to improve it. FIRM focuses on identifying three primary risks: business information (records, documents, databases, files, paper records, etc); use of this information; and supporting IT facilities (systems, communication networks and applications).
The IRM application defines the baseline risk profile for every information asset using a Harm Reference Table (HRT). The HRT helps to define the nature of the impact on these assets of financial loss, degraded performance, loss of management control, reputation damage, impaired growth opportunities and other owner-defined risks. The impacts are then graded in one of five levels from 'no serious harm' to 'extremely serious harm.' Das says that the risk to any information asset is assessed across five parameters—criticality, level of threat, business impact, control weaknesses and any other special circumstances applicable to that information resource.
Following the above methods, once a risk evaluation is completed, individual weaknesses can be recorded as issues, each with a unique reference. "The action owners can record remedial actions needed to fix weaknesses identified by evaluations. Thus, issues can be linked to the action item(s) needed to resolve them, closing the loop from identification to remediation," explains Das.
The company implemented the application between 2008 and 2009. During the deployment, the infosec team also organized facilitation sessions for business users to gather their inputs on the automated risk assessment and to test the accuracy of the results. According to Das, the biggest challenge in implementing this application was remote user training. "There was a lot of self-learning involved for the IT team. Since the potential issues were not known in advance, it led to delays in the deployment schedule." Another challenge was to manage the change among business users because this was a completely new exercise for them.
Das says the most significant benefits of this project are the ability to maintain an information risk database, provide a single consolidated risk view of the infrastructure, and provide pertinent reporting at the owner, company and group level. It has also increased productivity, and decreased the turnaround time taken by members to complete risk evaluations for information assets.