by Alex Radford
Risk management is part of the lives of everyone involved in Information Security now. It is part of all the key standards out there including ISO27001 and PCI-DSS, both of which have just been updated. We have to do it but it takes time and effort to do well. So lets take a pragmatic look at the requirements of risk assessment for information security. Here are 5 tips for making it work for you:
Tip 1 - Make it meaningful
A risk assessment can be done as “paying lip service” to the requirements and can be completed because it has to be. However, when it is being done in this manner, we end up with results that are inaccurate and we don’t care about. Treat it seriously as a tool to improve the business. But how do we make it meaningful? Well we have to get buy in from the senior management team and know they are going to act on the findings and resolve the issues.
Tip 2 - Define the process fully BEFORE starting
This seems a really obvious point, but frequently risk assessments are done in an unstructured way and it is often difficult to get good results. Remember the risk assessment must always be repeatable. Spend the time upfront, defining all the key parts of the risk assessment upfront , including
- How are we going to do the risk assessment
- How are we going to measure risk.
- What criteria we are going to use for accepting risk
Tip 3 - Group assets together
This is a key item for completing risk assessments. One laptop is generally pretty much like another. They can all hold sensitive data, they can all be lost stolen etc. From an asset management perspective reduce the number of assets as low as possible and group similar assets where sensible. In some cases this clearly isn’t practical and with the example above you may have two or three different “types” of laptop, depending who is using them.
Tip 4 - Make sure the assets have real owners
Real owners? What I mean is that the person allocated the asset must have the power, ability, budget and resource to be able to resolve any issues that are found from the risk assessment. There is no point having findings that no one can resolve. Some assets are difficult to assign and people may not want to own them but this is key to controlling risk. They must have owners or the risk assessment will fail to address issues
Tip 5 - The risk assessment evolves over time.
The first time a risk assessment is done, it won’t perfectly match absolutely everything within the business. Some assets will be over valued, some under valued. The impacts may not be perfectly accurate. It needs to be allowed time to bed in, be “tweaked” and changed so it is correct. That doesn’t mean it get manipulated to get the answer that was expected! There will be risks that appear that weren’t expected and yes, some of them may be more severe than had been considered.
To close, be methodical, realistic and as accurate and honest as possible when doing the risk assessment. It will produce the best possible answers to the ongoing question. What are my risks?