“Risk comes from not knowing what you’re doing.”
- Risk Management is the most important instrument for Information Security Governance
- It provides a framework for assessment and successful management of risks, a job usually poorly done or even neglected completely by a surprisingly large number of organizations today
- Risk management allows companies to devise and implement economically viable risk counter-measures
All activities involve risks, which are in turn a derivative of threats, vulnerabilities and impact. Properly identifying weaknesses and assessing the associated risks is essential.
There’s a wide spectrum of methods used for Risk Management today. For the most part, these methods consist of the following elements, performed, more or less, in the following order:
- Identify, list assets
- Identify, characterize threats
- Assess vulnerability of critical assets to specific threats
- Determine the risk (likelihood & consequences)
- Identify ways to reduce risks
- Prioritize measures based on a strategy
In ideal Risk Management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order.
In practice the process of assessing overall risk is complex. On one hand, we have to consider the resources used to mitigate between risks a high probability of occurrence but lower loss. On the other, we have the mitigation resources for risks with high loss but lower probability of occurrence. Balancing between these resources can often be mishandled.
INFORMATION SECURITY RISK MANAGEMENT
THE CHOICES FOR ADDRESSING ASSESSED RISKS
ACCEPTANCE - sometimes it is cheaper to leave an asset unprotected to a specific risk instead of spending the money required to protect it.
Acceptance cannot be done without considering the risk itself and all options possible.
MITIGATION - involves deciding on implementation of countermeasures aimed at lowering the risk to an acceptable level (as illustrated with the algorithm below).
One should keep in mind, it is not possible to mitigate the risk entirely.
TRANSFERENCE - this is usually referred to as the “insurance scenario.” A conscious decision to hire an external company to assume the risk in return for remuneration.
Transference of risk is also achieved through outsourcing, with it's own risks.
AVOIDANCE - when risks discovered are high or extreme and cannot be easily mitigated, avoiding the risk (and the project altogether) may be the best option. The math here is simple: if you stand more to lose from mitigating the risk, than what you will earn from this project, then avoidance is the way to go.
WHY DO IT?
THE BUSINESS CASE FOR RISK MANAGEMENT
Risk Management is at the heart of Information Security, because it provides an important instrument to balance and rationalize countermeasure expense with business success and expected Return On Investment (ROI).
When opting for one of the choices for dealing with risks, one has to take into account something called the Annualized Loss Expectancy (ALE), which is the expected monetary loss that can be expected for an asset due to a risk over a one year period. ALE is derived from Single Loss Expectancy (SLE) multiplied by the Annualized Rate of Occurrence (ARO) and can be used to directly analyse cost vs. benefit.
Regarding Risk Management, if spending on threat countermeasures is considerably higher than that risk's ALE, then it may not be worth the investment. Or, in other words, one must evaluate the positive impact countermeasures will have on ROI by making sure the expense is not larger than the ALE.
Risk Management is meaningful only when decisions are made based on meaningful risk analysis, which in turn involves preliminary processes such as penetration testing, vulnerability assessment and objective audit.
TALK TO US
Throughout the entire Risk Management process, we will assist you in the the following stages to ensure proper, best-fit execution:
- Obtain necessary data access to business process and operations structure
- Identify and notify participants and decision-makers
- Identify and distribute scope, objectives and requirements
- Ensure participation of appropriate staff and management in risk assessment
- Review scope, objectives, and process
- Conduct risk identification, consolidate related risks
ASSESS & PRIORITIZE RISKS
- Identify and obtain consensus on impact, severity, probability
- Identify time window when risk could occur
- Assess and prioritize all existing risks
DECIDE ON CONTROL OPTIONS
- Identify mitigation options for each risk
- Identify risks to be accepted, avoided, transferred, or mitigated
- Assign plan operative instructions for avoided, transferred, or mitigated risks
- Establish/update risk database
ESTABLISH MITIGATION PLANS
- Develop draft mitigation plans and resources
- Obtain manager review and approval of mitigation plans
- Ensure mitigation plan is funded, directed, and integrated
IMPLEMENT MITIGATION PLANS
- Finalize Risk Management plan
- Devise mechanism to monitor triggers, cues, and mitigation
- Implement mitigation as authorized, funded, and scheduled
- Provide reporting on mitigation results and progress
MONITOR MITIGATION PLANS
- Periodically review mitigation plan results
- Stop or modify mitigation plans and resources
- Retire risks when appropriate
- Update risk database for mitigation process and retirement
CRITERIA TO LOOK FOR
At all stages, externally provided Risk Management Process should:
- Resources should be less than the consequence of inaction
- Be an integral part of organizational processes
- Be part of the decision making process
- Explicitly address uncertainty and assumptions
- Be a systematic and structured process
- Be based on the best available information
- Be tailorable
- Take human factors into account
- Be transparent and inclusive
- Be dynamic, iterative and responsive to change
- Be capable of continual improvement and enhancement
- Be continually re-assessed