Risk assessments have become en vogue these days, and with good reason. Ideally, they are the basis of any information security program. They should help any organization identify the assets they really need to secure, and the threats they need to spend their resources protecting their assets against. A good risk assessment should provide an organization with a road map for their immediate attention, interim goals and long term security planning.



As a result of our organization's involvement with performing risk assessments for many companies around the globe, here are three key items you must know before undertaking a full assessment project.



1) A risk assessment is complex, time and resource consuming and difficult to perform if you are not objective. We have seen several organizations decide to undertake the risk assessment process themselves - which is certainly fine and usually even acceptable from a regulatory standpoint. The main issue here is to pick the right internal team to manage the process and perform the work. The team must be balanced between technical (line of business) folks, and management. If the risk assessment is too much of either one, the results can quickly become skewed. You also have to be very careful of company politics, as risk assessment can get political when you start to look at existing controls, plans, policies and budgets to protect critical assets. Each of these areas, plus many more, is quicksand for teams with political goals or hypersensitivity. Risk assessment is not for the meek, nor for the ambitious. It must be performed with a real world focus and an attention only on identifying and mitigating the risks.



2) A risk assessment must address the business goals of the organization and provide risk management guidance to all levels of the organization. Risk assessments that focus on the technical or executive levels solely are rarely worth the resources required to perform. If you don't look at the entire breadth and depth of risk versus the entire scope of assets - then you are probably spending your money poorly. The only exceptions to this are if you are performing regulatory required risk assessments at the specific application level, or if you are using the engagement to update an existing risk assessment that revealed a potential weakness in a specific area that may have now been addressed. If, however, you decide to spend your resources doing a line of business by line of business risk assessment, this not only causes undue resource use, but also creates overlapping work, myopic vision and results, and worst of all, it can lead to large enterprise-wide risks that are too general for inclusion into line of business details being missed. Missing an enterprise wide risk issue like this could be a disaster, and in many cases, a career-ending event for many folks. Keep the risk assessment wide, address all levels and all assets and make sure you get executive, line management and technical risk mitigation guidance.



3) Risk assessments are expensive, but worth every penny. A good risk assessment can provide both validation of your existing security programs and identify potentials for improvement. They can identify areas where you have spent your budget and human resources effectively and give insight into areas where you may be expending too much capital for little return. Used properly, they are a great planning tool for identifying greater opportunities for information security to improve the empowerment of the lines of business and can be fantastic at creating a broader and deeper understanding of risk management skills among line management and technicians. Performed properly and managed by a working group or steering committee, the risk assessment can help to identify potential areas that may save the organization extreme regulatory, reputation or financial damages. The risk assessment can pinpoint potential weaknesses in disaster recovery/business continuity plans, management and maintenance techniques, vendor management problems and single points of failure. All of this information, if managed properly is worth the cost of the engagement ten times over if it protects the organization down the road from what could have been a disaster or total loss.

There you have it. Three key ideas to consider before undertaking a risk assessment. If you want to read more about risk assessment techniques and possible methodologies, take a look at the web sites for ISSA, ISACA and the like. NIST also offers some great free information about risk assessments and other security initiatives. If your organization is looking for vision, value and validation, then risk assessment may be just the process you are seeking.

Related reading:


See 12 behaviors for creating a healthy risk culture

"One of the key maxims of risk management is that assumptions made are risks that you have accepted," says Dr. Robert Charette, a Fellow of the Cutter Consortium and Director of its Enterprise Risk Management and Governance practice. In this interview, Dr. Charette outlines 12 key organizational behaviors that can help IT leaders create and manage a risk culture in their organizations.

security.itworld.com

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine