Get Instant Access
to This Blueprint

Security icon

Secure Operations in High-Risk Jurisdictions

Security assessments often omit jurisdictional risks. Are your assets exposed?

Business operations in high-risk areas of the world contend with complex threat environments and risk scenarios that often require a unique response. But traditional approaches to security strategy often miss these jurisdictional risks, leaving organizations vulnerable to threats that range from cybercrime and data breaches to fines and penalties.

Security leaders need to identify high-risk jurisdictions, inventory critical assets, identify vulnerabilities, assess risks, and identify security controls necessary to mitigate those risks.

Secure operations and protect critical assets in high-risk regions

Across risks that include insider threats and commercial surveillance, the two greatest vulnerabilities that organizations face in high-risk parts of the world are travel and compliance. Organizations can make small adjustments to their security program to address these risks:

  1. Support high-risk travel: Put measures and guidelines in place to protect personnel, data, and devices before, during, and after employee travel.
  2. Mitigate compliance risk: Consider data residency requirements, data breach notification, cross-border data transfer, and third-party risks to support business growth.

Using these two prevalent risk scenarios in high-risk jurisdictions as examples, this research walks you through the steps to analyze the threat landscape, assess security risks, and execute a response to mitigate them.


Secure Operations in High-Risk Jurisdictions Research & Tools

1. Secure Operations in High-Risk Jurisdictions – A step-by-step approach to mitigating jurisdictional security and privacy risks.

Traditional approaches to security strategy often miss jurisdictional risks. Use this storyboard to make small adjustments to your security program to mitigate security risks in high-risk jurisdictions.

2. Jurisdictional Risk Register and Heat Map Tool – A tool to inventory, assess, and treat jurisdictional risks.

Use this tool to track jurisdictional risks, assess the exposure of critical assets, and identify mitigation controls. Use the geographic heatmap to communicate inherent jurisdictional risk with key stakeholders.

3. Guidelines for Key Jurisdictional Risk Scenarios – Two structured templates to help you develop guidelines for two key jurisdictional risk scenarios: high-risk travel and compliance risk

Use these two templates to develop help you develop your own guidelines for key jurisdictional risk scenarios. The guidelines address high-risk travel and compliance risk.


Workshop: Secure Operations in High-Risk Jurisdictions

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Identify Context for Risk Assessment

The Purpose

Assess business requirements and evaluate security pressures to set the context for the security risk assessment.

Key Benefits Achieved

  • Understand the goals of the organization in high-risk jurisdictions.
  • Assess the threats to critical assets in these jurisdictions and capture stakeholder expectations for information security.

Activities

Outputs

1.1

Determine assessment scope.

1.2

Determine business goals.

1.3

Determine compliance obligations.

1.4

Determine risk appetite.

  • Business requirements
1.5

Conduct pressure analysis.

  • Security pressure analysis

Module 2: Analyze Key Risk Scenarios for High-Risk Jurisdictions

The Purpose

Build key risk scenarios for high-risk jurisdictions.

Key Benefits Achieved

  • Identify critical assets in high-risk jurisdictions, their vulnerabilities to relevant threats, and the adverse impact should malicious agents exploit them.
  • Assess risk exposure of critical assets in high-risk jurisdictions.

Activities

Outputs

2.1

Identify critical assets.

2.2

Identify threats.

2.3

Assess risk likelihood.

2.4

Assess risk impact.

  • Key risk scenarios
  • Jurisdictional risk exposure
  • Jurisdictional Risk Register and Heat Map

Module 3: Build Risk Treatment Roadmap

The Purpose

Prioritize and treat jurisdictional risks to critical assets.

Key Benefits Achieved

  • Build an initiative roadmap to reduce residual risks in high-risk jurisdictions.

Activities

Outputs

3.1

Identify and assess risk response.

3.2

Assess residual risks.

3.3

Identify security controls.

3.4

Build initiative roadmap.

  • Action plan to mitigate key risk scenarios

Secure Operations in High-Risk Jurisdictions

Assessments often omit jurisdictional risks. Are your assets exposed?

EXECUTIVE BRIEF

Analyst Perspective

Operations in high-risk jurisdictions face unique security scenarios.

The image contains a picture of Michel Hebert.

Michel Hébert

Research Director

Security and Privacy

Info-Tech Research Group


The image contains a picture of Alan Tang.

Alan Tang

Principal Research Director

Security and Privacy

Info-Tech Research Group


Traditional approaches to security strategies may miss key risk scenarios that critical assets face in high-risk jurisdictions. These include high-risk travel, heightened insider threats, advanced persistent threats, and complex compliance environments. Most organizations have security strategies and risk management practices in place, but securing global operations requires its own effort. Assess the security risk that global operations pose to critical assets. Consider the unique assets, threats, and vulnerabilities that come with operations in high-risk jurisdictions. Focus on the business activities you support and integrate your insights with existing risk management practices to ensure the controls you propose get the visibility they need. Your goal is to build a plan that mitigates the unique security risks that global operations pose and secures critical assets in high-risk areas. Don’t leave security to chance.

Executive Summary

Your Challenge

  • Security leaders who support operations in many countries struggle to mitigate security risks to critical assets. Operations in high-risk jurisdictions contend with complex threat environments and security risk scenarios that often require a unique response.
  • Security leaders need to identify critical assets, assess vulnerabilities, catalog threats, and identify the security controls necessary to mitigate related operational risks.

Common Obstacles

  • Securing operations in high-risk jurisdictions requires additional due diligence. Each jurisdiction involves a different risk context, which complicates efforts to identify, assess, and mitigate security risks to critical assets.
  • Security leaders need to engage the organization with the right questions and identify high-risk vulnerabilities and security risk scenarios to help stakeholders make an informed decision about how to assess and treat the security risks they face in high-risk jurisdictions.

Info-Tech’s Approach

Info-Tech has developed an effective approach to protecting critical assets in high-risk jurisdictions.

This approach includes tools for:

  • Evaluating the security context of your organization’s high-risk jurisdictions.
  • Identifying security risk scenarios unique to high-risk jurisdictions and assessing the exposure of critical assets.
  • Planning and executing a response.

Info-Tech Insight

Organizations with global operations must contend with a more diverse set of assets, threats, and vulnerabilities when they operate in high-risk jurisdictions. Security leaders need to take additional steps to secure operations and protect critical assets.

Business operations in high-risk jurisdictions face a more complex security landscape

Information security risks to business operations vary widely by region.

The 2022 Allianz Risk Barometer surveyed 2,650 business risk specialists in 89 countries to identify the most important risks to operations. The report identified cybercrime, IT failures, outages, data breaches, fines, and penalties as the most important global business risks in 2022, but their results varied widely by region. The standout finding of the 2022 Allianz Risk Barometer is the return of security risks as the most important threat to business operations. Security risks will continue to be acute beyond 2022, especially in Africa, the Middle East, Europe, and the Asia-Pacific region, where they will dwarf risks of supply chain interruptions, natural catastrophe, and climate change.

Global operations in high-risk jurisdictions contend with more diverse threats. These security risk scenarios are not captured in traditional security strategies.

The image contains a picture of the world map that has certain areas of the map highlighted in various shades of blue based on higher security-related business risks.

Figures represent the number of cybersecurity risks business risk specialists selected as a percentage of all business risks (Allianz, 2022). Higher scores indicate jurisdictions with higher security-related business risks. Jurisdictions without data are in grey.

Different jurisdictions’ commitment to cybersecurity also varies widely, which increases security risks further

The Global Cybersecurity Index (GCI) provides insight into the commitment of different countries to cybersecurity.

The index assesses a country’s legal framework to identify basic requirements that public and private stakeholders must uphold and the legal instruments prohibiting harmful actions.

The 2020 GCI results show overall improvement and strengthening of the cybersecurity agenda globally, but significant regional gaps persist. Of the 194 countries surveyed:

  • 33% had no data protection legislation.
  • 47% had no breach notification measures in place.
  • 50% had no legislation on the theft of personal information.
  • 19% still had no legislation on illegal access.

Not every jurisdiction has the same commitment to cybersecurity. Protecting critical assets in high-risk jurisdictions requires additional due diligence.

The image contains a picture of the world map that has certain areas of the map highlighted in various shades of blue based on scores in relation to the Global Security Index.

The diagram sets out the score and rank for each country that took part in the Global Cybersecurity Index (ITU, 2021)

Higher scores show jurisdictions with a lower rank on the CGI, which implies greater risk. Jurisdictions without data are in grey.

Securing critical assets in high-risk jurisdictions requires additional effort

Traditional approaches to security strategy may miss these key risk scenarios.

As a result, security leaders who support operations in many countries need to take additional steps to mitigate security risks to critical assets.

Guide stakeholders to make informed decisions about how to assess and treat the security risks and secure operations.

  • Engage the organization with the right questions.
  • Identify critical assets and assess vulnerabilities.
  • Catalogue threats and build risk scenarios.
  • Identify the security controls necessary to mitigate risks.

Work with your organization to analyze the threat landscape, assess security risks unique to high-risk jurisdictions, and execute a response to mitigate them.

This project blueprint works through this process using the two most prevalent risk scenarios in high-risk jurisdictions: high-risk travel and compliance risk.

Key Risk Scenarios

  • High-Risk Travel
  • Compliance Risk
  • Insider Threat
  • Advanced Persistent Threat
  • Commercial Surveillance
The image contains a screenshot of an Info-Tech thought model regarding secure global operations in high-risk jurisdictions.

Travel risk is the first scenario we use as an example throughout the blueprint

  • This project blueprint outlines a process to identify, assess, and mitigate key risk scenarios in high-risk jurisdictions. We use two common key risk scenarios as examples throughout the deck to illustrate how you create and assess your own scenarios.
  • Supporting high-risk travel is the first scenario we will study in-depth as an example. Business growth, service delivery, and mergers and acquisitions can lead end users to travel to high-risk jurisdictions where staff, devices, and data are at risk.
  • Compromised or stolen devices can provide threat actors with access to data that could compromise the organization’s strategic, economic, or competitive advantage or expose the organization to regulatory risk.

The project blueprint includes template guidance in Phase 3 to help you build and deploy your own travel guidelines to protect critical assets and support end users before they leave, during their trip, and when they return.

Before you leave

  • Identify high-risk countries.
  • Enable controls.
  • Limit what you pack.

During your trip

  • Assume you are monitored.
  • Limit access to systems.
  • Prevent theft.

When you return

  • Change your password.
  • Restore your devices.

Compliance risk is the second scenario we use as an example

  • Mitigating compliance risk is the second scenario we will study as an example in this blueprint. The legal and regulatory landscape is evolving rapidly to keep step with the pace of technological change. Security and privacy leaders are expected to mitigate the risk of noncompliance as the organization expands to new jurisdictions.
  • Later sections will show how to think through at least four compliance risks, including:
    • Cross-border data transfer
    • Third-party risk management
    • Data breach notification
    • Data residency

The project blueprint includes template guidance in Phase 3 to help you deploy your own compliance governance controls as a risk mitigation measure.

Secure Operations in High-Risk Jurisdictions: Info-Tech’s methodology

1. Identify Context

2. Assess Risks

3. Execute Response

Phase Steps

  1. Assess business requirements
  2. Evaluate security pressures
  1. Identify risks
  2. Assess risk exposure
  1. Treat security risks
  2. Build initiative roadmap

Phase Outcomes

  • Internal security pressures that capture the governance, policies, practices, and risk tolerance of the organization
  • External security pressures that capture the expectations of customers, regulators, legislators, and business partners
  • A heatmap that captures not only the global exposure of your critical assets but also the business processes they support
  • A security risk register to allow for the easy transfer of critical assets’ global security risk data to your organization’s enterprise risk management practice
  • A roadmap of prioritized initiatives to apply relevant controls and secure global assets
  • A set of key risk indicators to monitor and report your progress

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Business Security Requirements

Identify the context for the global security risk assessment, including risk appetite and risk tolerance.

Jurisdictional Risk Register and Heatmap

Identify critical global assets and the threats they face in high-risk jurisdictions and assess exposure.

Mitigation Plan

Roadmap of initiatives and security controls to mitigate global risks to critical assets. Tools and templates to address key security risk scenarios.

Key deliverable:

Jurisdictional Risk Register and Heatmap

Use the Jurisdictional Risk Register and Heatmap Tool to capture information security risks to critical assets in high-risk jurisdictions. The tool generates a world chart that illustrates the risks global operations face to help you engage the business and execute a response.

Blueprint benefits

Protect critical assets in high-risk jurisdictions

IT Benefits

Assess and remediate information security risk to critical assets in high-risk jurisdictions.

Easily integrate your risk assessment with enterprise risk assessments to improve communication with the business.

Illustrate key information security risk scenarios to make the case for action in terms the business understands.

Business Benefits

Develop mitigation plans to protect staff, devices, and data in high-risk jurisdictions.

Support business growth in high-risk jurisdictions without compromising critical assets.

Mitigate compliance risk to protect your organization’s reputation, avoid fines, and ensure business continuity.

Quantify the impact of securing global operations

The tool included with this blueprint can help you measure the impact of implementing the research

  • Use the Jurisdictional Risk Register and Heatmap Tool to describe the key risk scenarios you face, assess their likelihood and impact, and estimate the cost of mitigating measures. Working through the project in this way will help you quantify the impact of securing global operations.
The image contains a screenshot of Info-Tech's Jurisdictional Risk Register and Heatmap Tool. The image contains a screenshot of the High-Risk Travel Jurisdiction.

Establish Baseline Metrics

  • Review existing information security and risk management metrics and the output of the tools included with the blueprint.
  • Identify metrics to measure the impact of your risk management efforts. Focus specifically on high-risk jurisdictions.
  • Compare your results with those in your overall security and risk management program.

ID

Metric

Why is this metric valuable?

How do I calculate it?

1.

Overall Exposure – High-Risk Jurisdictions

Illustrates the overall exposure of critical assets in high-risk jurisdictions.

Use the Jurisdictional Risk Register and Heatmap Tool. Calculate the impact times the probability rating for each risk. Take the average.

2.

# Risks Identified – High-Risk Jurisdictions

Informs risk tolerance assessments.

Use the Jurisdictional Risk Register and Heatmap Tool.

3.

# Risks Treated – High-Risk Jurisdictions

Informs residual risk assessments.

Use the Jurisdictional Risk Register and Heatmap Tool.

4.

Mitigation Cost – High-Risk Jurisdictions

Informs cost-benefit analysis to determine program effectiveness.

Use the Jurisdictional Risk Register and Heatmap Tool.

5.

# Security Incidents – High-Risk Jurisdictions

Informs incident trend calculations to determine program effectiveness.

Draw the information from your service desk or IT service management tool.

6.

Incident Remediation Cost – High-Risk Jurisdictions

Informs cost-benefit analysis to determine program effectiveness.

Estimate based on cost and effort, including direct and indirect cost such as business disruptions, administrative finds, reputational damage, etc.

7.

TRENDS: Program Effectiveness – High-Risk Jurisdictions

# of security incidents over time. Remediation : Mitigation costs over time

Calculate based on metrics 5 to 7.

Info-Tech offers various levels of support to best suit your needs.

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks are used throughout all four options.

Guided Implementation

What does a typical GI on this topic look like?

Phase 1

Call #1: Scope project requirements, determine assessment scope, and discuss challenges.

Phase 2

Call #2: Conduct initial risk assessment and determine risk tolerance.

Call #3: Evaluate security pressures in high-risk jurisdictions.

Call #4: Identify risks in high-risk jurisdictions.

Call #5: Assess risk exposure.

Phase 3

Call #6: Treat security risks in high-risk jurisdictions.

A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

Workshop Overview

Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

Days 1

Days 2-3

Day 4

Day 5

Identify Context

Key Risk Scenarios

Build Roadmap

Next Steps and Wrap-Up (offsite)

Activities

1.1.1 Determine assessment scope.

1.1.2 Determine business goals.

1.1.3 Identify compliance obligations.

1.2.1 Determine risk appetite.

1.2.2 Conduct pressure analysis.

2.1.1 Identify assets.

2.1.2 Identify threats.

2.2.1 Assess risk likelihood.

2.2.2 Assess risk impact.

3.1.1 Identify and assess risk response.

3.1.2 Assess residual risks.

3.2.1 Identify security controls.

3.2.2 Build initiative roadmap.

5.1 Complete in-progress deliverables from previous four days.

5.2 Set up review time for workshop deliverables and to discuss next steps.

Deliverables

  1. Business requirements for security risk assessment
  2. Identification of high-risk jurisdictions
  3. Security threat landscape for high-risk jurisdictions
  1. Inventory of relevant threats, critical assets, and their vulnerabilities
  2. Assessment of adverse effects should threat agents exploit vulnerabilities
  3. Risk register with key risk scenarios and heatmap of high-risk jurisdictions
  1. Action plan to mitigate key risk scenarios
  2. Investment and implementation roadmap
  1. Completed information security risk assessment for two key risk scenarios
  2. Risk mitigation roadmap

No safe jurisdictions

Stakeholders sometimes ask information security and privacy leaders to produce a list of safe jurisdictions from which to operate. We need to help them see that there are no safe jurisdictions, only relatively risky ones. As you build your security program, deepen the scope of your risk assessments to include risk scenarios critical assets face in different jurisdictions. These risks do not need to rule out operations, but they may require additional mitigation measures to keep staff, data, and devices safe and reduce potential reputational harms.

Traditional approaches to security strategy often omit jurisdictional risks.

Global operations must contend with a more complex security landscape. Secure critical assets in high-risk jurisdictions with a targeted risk assessment.

The two greatest risks are high-risk travel and compliance risk.

You can mitigate them with small adjustments to your security program.

Support High-Risk Travel

When securing travel to high-risk jurisdictions, you must consider personnel safety as well as data and device security. Put measures and guidelines in place to protect them before, during, and after travel.

Mitigate Compliance Risk

Think through data residency requirements, data breach notification, cross-border data transfer, and third-party risks to support business growth and mitigate compliance risks in high-risk jurisdictions to protect your organization’s reputation and avoid hefty fines or business disruptions.

Phase 1

Identify Context

This phase will walk you through the following activities:

  • Assess business requirements to understand the goals of the organization’s global operations, as well as its risk governance, policies, and practices.
  • Evaluate jurisdictional security pressures to understand threats to critical assets and capture the expectations of external stakeholders, including customers, regulators, legislators, and business partners, and assess risk tolerance.

This phase involves the following participants:

  • Business stakeholders
  • IT leadership
  • Security team
  • Risk and Compliance

Step 1.1

Assess Business Requirements

Activities

1.1.1 Determine assessment scope

1.1.2 Identify enterprise goals in high-risk jurisdictions

1.1.3 Identify compliance obligations

This step involves the following participants:

  • Business stakeholders
  • IT leadership
  • Security team
  • Risk and Compliance

Outcomes of this step

  • Assess business requirements to understand the goals of the organization’s global operations, as well as its risk governance, policies, and practices.

Security assessments often omit jurisdictional risks. Are your assets exposed?

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

You Get:

  • A risk mitigation plan built on deep security insights and the latest best practices.
  • A practical roadmap for security initiatives and controls to mitigate global risks to critical assets.
  • Detailed security risk assessment tools.
  • Easy-to-use templates to address key security risk scenarios.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 3-phase advisory process. You'll receive 6 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Identify context
  • Call 1: Scope project requirements, determine assessment scope, and discuss challenges.

Guided Implementation 2: Assess security risks to critical assets
  • Call 1: Conduct initial risk assessment and determine risk tolerance.
  • Call 2: Evaluate security pressures in high-risk jurisdictions.
  • Call 3: Identify risks in high-risk jurisdictions.
  • Call 4: Assess risk exposure.

Guided Implementation 3: Execute response
  • Call 1: Treat security risks in high-risk jurisdictions.

Authors

Michel Hebert

Alan Tang

Contributors

  • Ken Muir, CISO, LMC Security
  • Scott Wiggins, Information Risk and Governance, CDPHP
  • Premchand Kurup, CEO, Paramount Computer Systems
  • Preeti Dhawan, Manager, Security Governance, Payments Canada
  • Fritz Y. Jean Louis, CISO, Globe and Mail
  • Eric Gervais, CIO, Ovivo Water
  • David Morrish, CEO, MBS Techservices
  • Evan Garland, Manager, IT Security, Camosun College
  • Jacopo Fumagalli, CISO, Axpo
  • Dennis Leon, Governance and Security Manager, CPA Canada
  • Tero Lehtinen, CIO, Planmeca Oy
Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019