Every enterprise faces risk, and therefore, a robust information security (IS) risk management program is vital for your organization to be able to identify, respond to, and monitor risks relevant to your organization. To further explain, below, I will provide a brief overview of why risk management is an important component of information security by addressing FAQs we hear from clients. I will then outline the general steps and tips to follow in order to implement a thorough IS risk management and risk assessment process for your organization.
Risk Management Related, FAQs
1. What is information security (IS) and risk management? And what are information risks?
Information security and risk management go hand in hand. These terms are frequently referred to as cyber risk management, security risk management, information risk management, etc. The common denominator for these and other similar terms in addressing organizational IS risks, is that there should be both a documented information security and risk management policy in order to properly implement an information security risk management program.
Information security should be established to serve the business and help the company understand and manage its overall risk to the services being provided. Information security involves all of the controls implemented to secure and alert on your organizations information assets which would include, but are not limited to some of the following controls: a developed logical access policy and procedure(s), backup and encryption of sensitive data, systems monitoring, etc.
Risk management is a core component of information security, and establishes how risk assessments are to be conducted. This ensures that risks to your assets and services are continuously evaluated and remediated as appropriate, in order to reduce risk to a level your organization is comfortable with. Risk assessments may be high level or detailed to a specific organizational or technical change as your organization sees fit. Risk assessments must be conducted by unbiased and qualified parties such as security consultancies or qualified internal staff. Further, risk assessments evaluate infrastructure such as computer infrastructure containing networks, instances, databases, systems, storage, and services as well as analysis of business practices, procedures, and physical office spaces as needed.
Information Risks refer to the vulnerabilities and threats that may impact the function of the services should those vulnerabilities be exploited by known and unknown threats. An example of an information security risk could be the likelihood of breach/unauthorized exposure of client data. A great way to reduce the risk of data exposure in the event of a client data breach would be to implement encryption on the databases where that data resides. This would reduce the overall risk to a more reasonable level by protecting the confidentiality of the data through encryption should the risk of exposure/breach be realized.
2. Why is risk management important in information security ?
As noted above, risk management is a key component of overall information security. Therefore, assessing risks on a continuous basis is a very important component to ensure the ongoing security of your services.
3. How is risk calculated in information security?
Risk calculation can either be quantitative or qualitative. Quantitative risk analysis involves mathematical formulas to determine the costs to your organization associated with a threat exploiting a vulnerability. Most organizations we find use the qualitative approach and categorize risks on a scale of whether the risks are high, medium, or low, which would be determined by the likelihood and impact if a risk is realized. The methodologies outlined later in this article can be used to determine which risk analysis is best suited for your organization.
Overview and Key Steps to Implementing an IS Risk Management Process.
What are the key steps of a risk management process ?
If you already have a risk management process in place or are planning on implementing one, I wanted to go through some tips regarding the overall key steps that can help you build or improve it.
- Identification and Categorization of your Assets
- Risk Assessment
- Risk Response and Mitigation
- Risk and Control Monitoring and Reporting
1. Identifying and Categorizing your Assets
If you don’t know what you have then how are you expected to manage and secure it? A lot of organizations only do an inventory of all the assets they own or manage and call this task complete, but you need to go further. You need to understand how the business works, how data moves in and out, how the system is used and what is important to whom and why. By understanding the function and purpose of each asset, you can start categorizing them by criticality and other factors. To further clarify, without categorization, how do you know where to focus your time and effort? For example, many organizations may inventory their assets, but may not define the function, purpose or criticality which are all beneficial to determine. This will ensure that your resources (time, people, and money) are focused on the highest priority assets vs lower priority and less critical assets.
2. Risk Assessment
After your assets are identified and categorized, the next step is to actually assess the risk of each asset. This would include identifying the vulnerability exposure and threats to each asset. You will then want to determine the likelihood of the threats exploiting the identified vulnerabilities. This work will help identify the areas of the highest likelihood and impact if the threat is realized. Further, this will allow you to focus your resources and remediation efforts in the most critical areas, helping you respond and remediate the risks of highest impact and criticality to your organization.
3. Risk Response and Mitigation
After the risks are rated, you will want to respond to each risk, and bring each one down to an acceptable level. There are generally four possible responses to a risk: accept, transfer, mitigate, or avoid. Each treatment/response option will depend on the organization’s overall risk appetite. Again, the risks that pose the highest threat are where you should spend your resources and implement controls around to ensure that the risk is reduced to an acceptable level.
4. Risk and Control Monitoring and Reporting
Risk and control monitoring and reporting should be in place. In other words: Revisit Risks Regularly. You should not follow a “set it and forget it” approach when it comes to risk. All risks should be maintained within what is typically referred to as a “Risk Register.” This is then reviewed on a regular basis and whenever there is a major change to the system, processes, mission or vision. Another great time to reassess risk is if/when there is a change to the business environment. For example, a new security breach is identified, emerging business competitors, or weather pattern changes.
Define a Methodology
To help with the above steps of implementing a risk management program, it is VERY helpful to start by choosing and defining a Risk Management Methodology you would like to use. Without a defined methodology, risk may not be measured the same way throughout the business and organization. Each organization is different—some may only need a basic categorization and prioritization approach, while others may require a more in-depth method. There are many methodologies out there and any one of them can be implemented. You do not need to use an industry defined methodology, you can create one in-house (it is recommended to at least base your internal process off an industry best practice). The key is to select an approach that aligns best with your business, processes and goals, and use the same approach throughout. Below are a few popular methodologies.
Developed in 2001 at Carnegie Mellon for the DoD. Per Cert.org, “OCTAVE Allegro focuses on information assets. An organization’s important assets are identified and assessed based on the information assets to which they are connected.” Qualitative not quantitative.
Pros: Self-directed, easy to customize, thorough and well-documented.
Cons: Can be complex.
FAIR:
FAIR is an analytical risk and international standard quantitative model. The FAIR model specializes in financially derived results tailored for enterprise risk management. Quantitative not qualitative.
Pros: More granular level of threats, vulnerabilities and risk.
Cons: Can be difficult to use.
The Risk Management Framework (RMF) provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.
Pros: Aligns with other NIST standards, popular.
Cons: Requires knowledgeable staff, not automated (but third-party tools do exist to support automation).
A Note on Vendor/Supplier Risk Management
Lastly, but certainly not least – Vendor/Supplier Risk Management is a core component of any risk management program. Vendors should be periodically reviewed, or more frequently when significant changes to the services supporting your products change. Essentially, the same process for assessing internal risks should be followed in identifying and addressing risks that your vendors pose to your products and services.
Conclusion
Implementing an information security risk management program is vital to your organization in helping ensure that relevant and critical risks are identified, remediated and monitored on an ongoing basis. This will protect and maintain the services you are providing to your clients. Vendor management is also a core component of an overall risk management program. Linford & Company can help you evaluate your information security and risk management program and processes, or help you develop one should you not already have one in place. For more information on our services and how we can help your business, please feel free to contact us.
This post was originally published on 1/17/2017, and updated on 1/29/2020.
Linford & Co., LLP, founded in 2008, is comprised of professional and certified auditors with specialized expertise in SOC 1, SOC 2, HIPAA, HITRUST, FedRAMP and royalty/licensing audits. Our auditors hold CPA, CISA, CISSP, GSEC licenses and certifications. Learn more about our company and our leadership team.