Learning how to use Risk Assessments and ongoing Risk Management tools is going to be crucial to companies building information risk management programs in 2016.
As one year ends and another begins it is a sure bet that tech company marketing teams will begin to crank out the trend reports. The transition this New Year is no different.
The cynic recognizes the pattern. This company identifies these threats that only their product protects against. That company identifies another set of threats that only they, of course, protect against. And so it goes.
Not all of these surveys are bad. Some are quite helpful in keeping informed about the security landscape. But they are all put out with the intent of creating demand for products.
We have been doing this long enough that we realize it isn’t about the products.
The trend we see going into 2016 is that companies need to get better at understanding their individual risk profile and building the discipline to manage risk within that profile. Security safeguards – including products purchased – should be selected based on the risks that they mitigate.
What is risk?
The same joke gets told in security industry conferences all the time. If you put five risk professionals in a room and ask for a definition of risk, you’ll get at least six models.
The “industry” doesn’t agree all the time on the details of the risk model. But your job isn’t to argue about the fine details of a model. Your job is to manage risk so your organization can run and grow.
Simply – and there is agreement here — risk is the product of the likelihood of something bad happening times the impact that occurs if it does happen (Risk = Likelihood x Impact).
We appreciate and usually use a simple model with a little more detail.
Jacadis uses the definition of risk outlined in NIST 800-30 which is represented mathematically as Risk = Asset x Threat x Vulnerability x Likelihood x Impact where the variables are defined as follows:
Assets in this context are your information and data valuables from your computers, other form factors, servers, network devices and networks to the applications and databases that contain them to the physical locations they are housed to the processes employed to use them for productive work to, of course, the people that use them.
Threats are the bad guys, the bad actors, the malicious code or the act of God that can impact the confidentiality, integrity and/or availability of information and data contained in your assets.
Vulnerability are the chinks in your armor, missing patches, poor practices, weak passwords or other weaknesses that allow a threat to launch an attack on an asset.
Without the jargon your valuables (assets) are attacked by bad actors (threats) through the exploitation of weaknesses (vulnerabilities).
What do we defend first? Where do we start when we have more assets, threats and vulnerabilities than we can manage? We need a means of prioritizing the risk.
In the model we’ve chosen, we use Likelihood and Impact represented on a qualitative scale with 1 being low likelihood or low impact and 5 representing high likelihood or high impact. There are models that used detailed quantitative measures but our experience is that the qualitative, with some limitations, gets us to a point where we can prioritize the cataloged risk and get an organization started on the way to improving its information risk management program and its security posture.
Risk Assessment V. Risk Management
Jacadis conducts a large number of risk assessments annually. An annual risk assessment (sometimes coupled with security controls assessments and penetration tests) is considered a leading security practice.
A risk assessment focuses on identifying, measuring and prioritizing risks. Sometimes a risk assessment focuses on an entire organization, sometimes a single system. Focused on the scope of the assessment, we will report back to the client on risks identified. We will quantify them and using qualitative scores for likelihood and impact help the client prioritize them. Finally, we will include a risk treatment plan of recommendations to what needs to be done to reduce the found risks. Broadly our recommendations will be to:
- Accept the risk
- Avoid the risk
- Mitigate or control the risk
- Transfer the risk
While the risk assessment is a one-time event or snapshot of the risks found in an analysis of the in scope systems, risk management is an ongoing process.
We like to see clients create a risk register to maintain a catalog of risks that is used as the center point of the risk management process.
Many clients take our initial baseline assessment with the findings and risk treatment plan in spreadsheet format and use that to create the foundation of their risk register.
Others choose to do this in a GRC tool like what our partner TraceCSO provides.
Regardless of your chosen tools, the risk register is important to the risk management process. It is a tool that will help management understand the risks the organization faces, understand the risks or likely impacts, serve as a basis to communicate about the organization’s risk tolerance and its willingness to accept risk and finally report the status of found risk over time. It is also a great capture point for technical and non-technical managers to park those things that “keep them up at night” so they are available for discussions during security committee meetings.
Like a risk assessment our client use the risk register to support risk management in across four phases:
- Identify the risk in terms of asset, potential threats and identified vulnerabilities.
- Evaluate the severity of the risk by calculating using qualitative choices for likelihood and impact
- Identifying possible solutions and communicating the potential reduced risk from each choice
- Monitoring and analyzing the implementation of solutions; and,
- Memorializing your company’s information risk management effort in the case of a breach or audit event.
In that regard, Jacadis is a continuous risk management company. We help our clients identify risks, evaluate the severity, identify and select countermeasures to and monitor and analyze the effectiveness of the steps taken. We help them do it through risk assessments and through teaching them how to use a risk register, either in spreadsheet form or as part of a GRC toolset like what TraceCSO provides, as the core of their information security program.
Continuous Risk Management means continuous improvement of security and compliance.