Secure Operations in High-Risk Jurisdictions
Security assessments often omit jurisdictional risks. Are your assets exposed?
Business operations in high-risk areas of the world contend with complex threat environments and risk scenarios that often require a unique response. But traditional approaches to security strategy often miss these jurisdictional risks, leaving organizations vulnerable to threats that range from cybercrime and data breaches to fines and penalties.
Security leaders need to identify high-risk jurisdictions, inventory critical assets, identify vulnerabilities, assess risks, and identify security controls necessary to mitigate those risks.
Secure operations and protect critical assets in high-risk regions
Across risks that include insider threats and commercial surveillance, the two greatest vulnerabilities that organizations face in high-risk parts of the world are travel and compliance. Organizations can make small adjustments to their security program to address these risks:
- Support high-risk travel: Put measures and guidelines in place to protect personnel, data, and devices before, during, and after employee travel.
- Mitigate compliance risk: Consider data residency requirements, data breach notification, cross-border data transfer, and third-party risks to support business growth.
Using these two prevalent risk scenarios in high-risk jurisdictions as examples, this research walks you through the steps to analyze the threat landscape, assess security risks, and execute a response to mitigate them.
Workshop: Secure Operations in High-Risk Jurisdictions
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Identify Context for Risk Assessment
The Purpose
Assess business requirements and evaluate security pressures to set the context for the security risk assessment.
Key Benefits Achieved
- Understand the goals of the organization in high-risk jurisdictions.
- Assess the threats to critical assets in these jurisdictions and capture stakeholder expectations for information security.
Activities
Outputs
Determine assessment scope.
Determine business goals.
Determine compliance obligations.
Determine risk appetite.
- Business requirements
Conduct pressure analysis.
- Security pressure analysis
Module 2: Analyze Key Risk Scenarios for High-Risk Jurisdictions
The Purpose
Build key risk scenarios for high-risk jurisdictions.
Key Benefits Achieved
- Identify critical assets in high-risk jurisdictions, their vulnerabilities to relevant threats, and the adverse impact should malicious agents exploit them.
- Assess risk exposure of critical assets in high-risk jurisdictions.
Activities
Outputs
Identify critical assets.
Identify threats.
Assess risk likelihood.
Assess risk impact.
- Key risk scenarios
- Jurisdictional risk exposure
- Jurisdictional Risk Register and Heat Map
Module 3: Build Risk Treatment Roadmap
The Purpose
Prioritize and treat jurisdictional risks to critical assets.
Key Benefits Achieved
- Build an initiative roadmap to reduce residual risks in high-risk jurisdictions.
Activities
Outputs
Identify and assess risk response.
Assess residual risks.
Identify security controls.
Build initiative roadmap.
- Action plan to mitigate key risk scenarios
Secure Operations in High-Risk Jurisdictions
Assessments often omit jurisdictional risks. Are your assets exposed?
EXECUTIVE BRIEF
Analyst Perspective
Operations in high-risk jurisdictions face unique security scenarios.
Michel Hébert
Research Director
Security and Privacy
Info-Tech Research Group
Alan Tang
Principal Research Director
Security and Privacy
Info-Tech Research Group
Traditional approaches to security strategies may miss key risk scenarios that critical assets face in high-risk jurisdictions. These include high-risk travel, heightened insider threats, advanced persistent threats, and complex compliance environments. Most organizations have security strategies and risk management practices in place, but securing global operations requires its own effort. Assess the security risk that global operations pose to critical assets. Consider the unique assets, threats, and vulnerabilities that come with operations in high-risk jurisdictions. Focus on the business activities you support and integrate your insights with existing risk management practices to ensure the controls you propose get the visibility they need. Your goal is to build a plan that mitigates the unique security risks that global operations pose and secures critical assets in high-risk areas. Don’t leave security to chance.
Executive Summary
Your Challenge
- Security leaders who support operations in many countries struggle to mitigate security risks to critical assets. Operations in high-risk jurisdictions contend with complex threat environments and security risk scenarios that often require a unique response.
- Security leaders need to identify critical assets, assess vulnerabilities, catalog threats, and identify the security controls necessary to mitigate related operational risks.
Common Obstacles
- Securing operations in high-risk jurisdictions requires additional due diligence. Each jurisdiction involves a different risk context, which complicates efforts to identify, assess, and mitigate security risks to critical assets.
- Security leaders need to engage the organization with the right questions and identify high-risk vulnerabilities and security risk scenarios to help stakeholders make an informed decision about how to assess and treat the security risks they face in high-risk jurisdictions.
Info-Tech’s Approach
Info-Tech has developed an effective approach to protecting critical assets in high-risk jurisdictions.
This approach includes tools for:
- Evaluating the security context of your organization’s high-risk jurisdictions.
- Identifying security risk scenarios unique to high-risk jurisdictions and assessing the exposure of critical assets.
- Planning and executing a response.
Info-Tech Insight
Organizations with global operations must contend with a more diverse set of assets, threats, and vulnerabilities when they operate in high-risk jurisdictions. Security leaders need to take additional steps to secure operations and protect critical assets.
Business operations in high-risk jurisdictions face a more complex security landscape
Information security risks to business operations vary widely by region.
The 2022 Allianz Risk Barometer surveyed 2,650 business risk specialists in 89 countries to identify the most important risks to operations. The report identified cybercrime, IT failures, outages, data breaches, fines, and penalties as the most important global business risks in 2022, but their results varied widely by region. The standout finding of the 2022 Allianz Risk Barometer is the return of security risks as the most important threat to business operations. Security risks will continue to be acute beyond 2022, especially in Africa, the Middle East, Europe, and the Asia-Pacific region, where they will dwarf risks of supply chain interruptions, natural catastrophe, and climate change.
Global operations in high-risk jurisdictions contend with more diverse threats. These security risk scenarios are not captured in traditional security strategies.
Figures represent the number of cybersecurity risks business risk specialists selected as a percentage of all business risks (Allianz, 2022). Higher scores indicate jurisdictions with higher security-related business risks. Jurisdictions without data are in grey.
Different jurisdictions’ commitment to cybersecurity also varies widely, which increases security risks further
The Global Cybersecurity Index (GCI) provides insight into the commitment of different countries to cybersecurity.
The index assesses a country’s legal framework to identify basic requirements that public and private stakeholders must uphold and the legal instruments prohibiting harmful actions.
The 2020 GCI results show overall improvement and strengthening of the cybersecurity agenda globally, but significant regional gaps persist. Of the 194 countries surveyed:
- 33% had no data protection legislation.
- 47% had no breach notification measures in place.
- 50% had no legislation on the theft of personal information.
- 19% still had no legislation on illegal access.
Not every jurisdiction has the same commitment to cybersecurity. Protecting critical assets in high-risk jurisdictions requires additional due diligence.
The diagram sets out the score and rank for each country that took part in the Global Cybersecurity Index (ITU, 2021)
Higher scores show jurisdictions with a lower rank on the CGI, which implies greater risk. Jurisdictions without data are in grey.
Securing critical assets in high-risk jurisdictions requires additional effort
Traditional approaches to security strategy may miss these key risk scenarios.
As a result, security leaders who support operations in many countries need to take additional steps to mitigate security risks to critical assets.
Guide stakeholders to make informed decisions about how to assess and treat the security risks and secure operations.
- Engage the organization with the right questions.
- Identify critical assets and assess vulnerabilities.
- Catalogue threats and build risk scenarios.
- Identify the security controls necessary to mitigate risks.
Work with your organization to analyze the threat landscape, assess security risks unique to high-risk jurisdictions, and execute a response to mitigate them.
This project blueprint works through this process using the two most prevalent risk scenarios in high-risk jurisdictions: high-risk travel and compliance risk.
Key Risk Scenarios
- High-Risk Travel
- Compliance Risk
- Insider Threat
- Advanced Persistent Threat
- Commercial Surveillance
Travel risk is the first scenario we use as an example throughout the blueprint
- This project blueprint outlines a process to identify, assess, and mitigate key risk scenarios in high-risk jurisdictions. We use two common key risk scenarios as examples throughout the deck to illustrate how you create and assess your own scenarios.
- Supporting high-risk travel is the first scenario we will study in-depth as an example. Business growth, service delivery, and mergers and acquisitions can lead end users to travel to high-risk jurisdictions where staff, devices, and data are at risk.
- Compromised or stolen devices can provide threat actors with access to data that could compromise the organization’s strategic, economic, or competitive advantage or expose the organization to regulatory risk.
The project blueprint includes template guidance in Phase 3 to help you build and deploy your own travel guidelines to protect critical assets and support end users before they leave, during their trip, and when they return.
Before you leave
- Identify high-risk countries.
- Enable controls.
- Limit what you pack.
During your trip
- Assume you are monitored.
- Limit access to systems.
- Prevent theft.
When you return
- Change your password.
- Restore your devices.
Compliance risk is the second scenario we use as an example
- Mitigating compliance risk is the second scenario we will study as an example in this blueprint. The legal and regulatory landscape is evolving rapidly to keep step with the pace of technological change. Security and privacy leaders are expected to mitigate the risk of noncompliance as the organization expands to new jurisdictions.
- Later sections will show how to think through at least four compliance risks, including:
- Cross-border data transfer
- Third-party risk management
- Data breach notification
- Data residency
The project blueprint includes template guidance in Phase 3 to help you deploy your own compliance governance controls as a risk mitigation measure.
Secure Operations in High-Risk Jurisdictions: Info-Tech’s methodology
|
1. Identify Context |
2. Assess Risks |
3. Execute Response |
|
|---|---|---|---|
|
Phase Steps |
|
|
|
|
Phase Outcomes |
|
|
|
Blueprint deliverables
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Business Security Requirements
Identify the context for the global security risk assessment, including risk appetite and risk tolerance.
Jurisdictional Risk Register and Heatmap
Identify critical global assets and the threats they face in high-risk jurisdictions and assess exposure.
Mitigation Plan
Roadmap of initiatives and security controls to mitigate global risks to critical assets. Tools and templates to address key security risk scenarios.
Key deliverable:
Jurisdictional Risk Register and Heatmap
Use the Jurisdictional Risk Register and Heatmap Tool to capture information security risks to critical assets in high-risk jurisdictions. The tool generates a world chart that illustrates the risks global operations face to help you engage the business and execute a response.
Blueprint benefits
Protect critical assets in high-risk jurisdictions
IT Benefits
Assess and remediate information security risk to critical assets in high-risk jurisdictions.
Easily integrate your risk assessment with enterprise risk assessments to improve communication with the business.
Illustrate key information security risk scenarios to make the case for action in terms the business understands.
Business Benefits
Develop mitigation plans to protect staff, devices, and data in high-risk jurisdictions.
Support business growth in high-risk jurisdictions without compromising critical assets.
Mitigate compliance risk to protect your organization’s reputation, avoid fines, and ensure business continuity.
Quantify the impact of securing global operations
The tool included with this blueprint can help you measure the impact of implementing the research
- Use the Jurisdictional Risk Register and Heatmap Tool to describe the key risk scenarios you face, assess their likelihood and impact, and estimate the cost of mitigating measures. Working through the project in this way will help you quantify the impact of securing global operations.
Establish Baseline Metrics
- Review existing information security and risk management metrics and the output of the tools included with the blueprint.
- Identify metrics to measure the impact of your risk management efforts. Focus specifically on high-risk jurisdictions.
- Compare your results with those in your overall security and risk management program.
|
ID |
Metric |
Why is this metric valuable? |
How do I calculate it? |
|---|---|---|---|
|
1. |
Overall Exposure – High-Risk Jurisdictions |
Illustrates the overall exposure of critical assets in high-risk jurisdictions. |
Use the Jurisdictional Risk Register and Heatmap Tool. Calculate the impact times the probability rating for each risk. Take the average. |
|
2. |
# Risks Identified – High-Risk Jurisdictions |
Informs risk tolerance assessments. |
Use the Jurisdictional Risk Register and Heatmap Tool. |
|
3. |
# Risks Treated – High-Risk Jurisdictions |
Informs residual risk assessments. |
Use the Jurisdictional Risk Register and Heatmap Tool. |
|
4. |
Mitigation Cost – High-Risk Jurisdictions |
Informs cost-benefit analysis to determine program effectiveness. |
Use the Jurisdictional Risk Register and Heatmap Tool. |
|
5. |
# Security Incidents – High-Risk Jurisdictions |
Informs incident trend calculations to determine program effectiveness. |
Draw the information from your service desk or IT service management tool. |
| 6. |
Incident Remediation Cost – High-Risk Jurisdictions |
Informs cost-benefit analysis to determine program effectiveness. |
Estimate based on cost and effort, including direct and indirect cost such as business disruptions, administrative finds, reputational damage, etc. |
|
7. |
TRENDS: Program Effectiveness – High-Risk Jurisdictions |
# of security incidents over time. Remediation : Mitigation costs over time |
Calculate based on metrics 5 to 7. |
Info-Tech offers various levels of support to best suit your needs.
DIY Toolkit
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
Guided Implementation
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
Workshop
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
Consulting
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
Diagnostics and consistent frameworks are used throughout all four options.
Guided Implementation
What does a typical GI on this topic look like?
Phase 1
Call #1: Scope project requirements, determine assessment scope, and discuss challenges.
Phase 2
Call #2: Conduct initial risk assessment and determine risk tolerance.
Call #3: Evaluate security pressures in high-risk jurisdictions.
Call #4: Identify risks in high-risk jurisdictions.
Call #5: Assess risk exposure.
Phase 3
Call #6: Treat security risks in high-risk jurisdictions.
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 8 to 12 calls over the course of 4 to 6 months.
Workshop Overview
Contact your account representative for more information. workshops@infotech.com 1-888-670-8889
|
Days 1 |
Days 2-3 |
Day 4 |
Day 5 |
|
|---|---|---|---|---|
|
Identify Context |
Key Risk Scenarios |
Build Roadmap |
Next Steps and Wrap-Up (offsite) |
|
|
Activities |
1.1.1 Determine assessment scope. 1.1.2 Determine business goals. 1.1.3 Identify compliance obligations. 1.2.1 Determine risk appetite. 1.2.2 Conduct pressure analysis. |
2.1.1 Identify assets. 2.1.2 Identify threats. 2.2.1 Assess risk likelihood. 2.2.2 Assess risk impact. |
3.1.1 Identify and assess risk response. 3.1.2 Assess residual risks. 3.2.1 Identify security controls. 3.2.2 Build initiative roadmap. |
5.1 Complete in-progress deliverables from previous four days. 5.2 Set up review time for workshop deliverables and to discuss next steps. |
|
Deliverables |
|
|
|
|
No safe jurisdictions
Stakeholders sometimes ask information security and privacy leaders to produce a list of safe jurisdictions from which to operate. We need to help them see that there are no safe jurisdictions, only relatively risky ones. As you build your security program, deepen the scope of your risk assessments to include risk scenarios critical assets face in different jurisdictions. These risks do not need to rule out operations, but they may require additional mitigation measures to keep staff, data, and devices safe and reduce potential reputational harms.
Traditional approaches to security strategy often omit jurisdictional risks.
Global operations must contend with a more complex security landscape. Secure critical assets in high-risk jurisdictions with a targeted risk assessment.
The two greatest risks are high-risk travel and compliance risk.
You can mitigate them with small adjustments to your security program.
Support High-Risk Travel
When securing travel to high-risk jurisdictions, you must consider personnel safety as well as data and device security. Put measures and guidelines in place to protect them before, during, and after travel.
Mitigate Compliance Risk
Think through data residency requirements, data breach notification, cross-border data transfer, and third-party risks to support business growth and mitigate compliance risks in high-risk jurisdictions to protect your organization’s reputation and avoid hefty fines or business disruptions.
Phase 1
Identify Context
This phase will walk you through the following activities:
- Assess business requirements to understand the goals of the organization’s global operations, as well as its risk governance, policies, and practices.
- Evaluate jurisdictional security pressures to understand threats to critical assets and capture the expectations of external stakeholders, including customers, regulators, legislators, and business partners, and assess risk tolerance.
This phase involves the following participants:
- Business stakeholders
- IT leadership
- Security team
- Risk and Compliance
Step 1.1
Assess Business Requirements
Activities
1.1.1 Determine assessment scope
1.1.2 Identify enterprise goals in high-risk jurisdictions
1.1.3 Identify compliance obligations
This step involves the following participants:
- Business stakeholders
- IT leadership
- Security team
- Risk and Compliance
Outcomes of this step
- Assess business requirements to understand the goals of the organization’s global operations, as well as its risk governance, policies, and practices.
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
You Get:
- A risk mitigation plan built on deep security insights and the latest best practices.
- A practical roadmap for security initiatives and controls to mitigate global risks to critical assets.
- Detailed security risk assessment tools.
- Easy-to-use templates to address key security risk scenarios.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 3-phase advisory process. You'll receive 6 touchpoints with our researchers, all included in your membership.
Guided Implementation 1: Identify context
- Call 1: Scope project requirements, determine assessment scope, and discuss challenges.
Guided Implementation 2: Assess security risks to critical assets
- Call 1: Conduct initial risk assessment and determine risk tolerance.
- Call 2: Evaluate security pressures in high-risk jurisdictions.
- Call 3: Identify risks in high-risk jurisdictions.
- Call 4: Assess risk exposure.
Guided Implementation 3: Execute response
- Call 1: Treat security risks in high-risk jurisdictions.
Contributors
- Ken Muir, CISO, LMC Security
- Scott Wiggins, Information Risk and Governance, CDPHP
- Premchand Kurup, CEO, Paramount Computer Systems
- Preeti Dhawan, Manager, Security Governance, Payments Canada
- Fritz Y. Jean Louis, CISO, Globe and Mail
- Eric Gervais, CIO, Ovivo Water
- David Morrish, CEO, MBS Techservices
- Evan Garland, Manager, IT Security, Camosun College
- Jacopo Fumagalli, CISO, Axpo
- Dennis Leon, Governance and Security Manager, CPA Canada
- Tero Lehtinen, CIO, Planmeca Oy
Design and Implement a Business-Aligned Security Program
Build an Information Security Strategy
Secure Operations in High-Risk Jurisdictions
Develop a Security Awareness and Training Program That Empowers End Users
Build, Optimize, and Present a Risk-Based Security Budget
Hire or Develop a World-Class CISO
Fast Track Your GDPR Compliance Efforts
Build a Cloud Security Strategy
Identify the Components of Your Cloud Security Architecture
Security Priorities 2022
2020 Security Priorities Report
Manage Third-Party Service Security Outsourcing
Select a Security Outsourcing Partner
Improve Security Governance With a Security Steering Committee
The First 100 Days as CISO
Determine Your Zero Trust Readiness
Cost-Optimize Your Security Budget
Threat Preparedness Using MITRE ATT&CK®
Build a Zero Trust Roadmap
Security Priorities 2023
Security Priorities 2024
