Some people may not believe this, but information security’s purpose is, or should be, to serve the business and help the company understand and manage its overall risk. Sure, there are some security professionals that appear to have the goal of spending as much money as possible and getting the latest and greatest software, and there are also some that like to say “no”…for everything…all the time, but the good ones are there to help. One way to help serve the business is to look at security based upon risk.
If you already have a risk management process in place or are planning on implementing one, I wanted to go through some tips that can help you build or improve it.
- Identifying and Categorizing your Assets
If you don’t know what you have then how are you expected to manage and secure it? A lot of organizations only do an inventory of all the assets they own or manage and call this task complete, but you need to go further. You need to understand how the business works, how data moves in and out, how the system is used and what is important to whom and why. What is important to one person may not be important to others. By understanding the function and purpose of each asset, you can start categorizing them by criticality and other factors.
Without categorization, how do you know where to focus your time and effort? For example, I worked with an organization that only inventoried their assets, they didn’t define their function, purpose or criticality. A high-profile vulnerability was identified that required immediate response. Because we only had a very basic inventory, we did not know what assets to focus on. If you have thousands of assets that need to be remediated, how do you prioritize your effort? We ended up going from top to bottom alphabetically on the list, a task that took days to complete. What if the asset that was the most important to the business and organization started with a “Z”? Oops, sorry, that was the last one we did. This would not be a good conversation to have if your company is breached and is attributed to the server being further in the alphabet and you had no idea what it does.
- The Business is Accountable for the Risk
Risk should not be accepted by the security team, instead risk must be accepted by the business. The security team should help the business understand the risk and what they are accepting. If the security team is forced to accept the risk, then the business may make riskier moves because they no longer are accountable for the fallout. If not properly managed or understood however, a business may accept risk without knowing the full impact to the enterprise, so working with the business to make sure that the risk is fully understood and defined is essential.
- Define a Methodology
Without a defined methodology, risk may not be measured the same way throughout the business and organization. Each organization is different—some may only need a basic categorization and prioritization approach, while others may require a more in-depth method. There are many methodologies out there and any one of them can be used. You do not need to use an industry defined methodology, you can create one in-house (it is recommended to at least base your internal process off an industry best practice), but the key is to select an approach that aligns best with your business, processes and goals and use the same approach throughout. Below are a few popular methodologies.
Developed in 2001 at Carnegie Mellon for the DoD. Per Cert.org, “OCTAVE Allegro focuses on information assets. An organization’s important assets are identified and assessed based on the information assets to which they are connected.” Qualitative not quantitative.
Pros: Self-directed, easy to customize, thorough and well-documented.
Cons: Can be complex.
FAIR is an analytical risk and international standard quantitative model. The FAIR model specializes in financially derived results tailored for enterprise risk management. Quantitative not qualitative.
Pros: More granular level of threats, vulnerabilities and risk.
Cons: Can be difficult to use.
The Risk Management Framework (RMF) provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle.
Pros: Aligns with other NIST standards, popular.
Cons: Requires knowledgeable staff, not automated (but third-party tools do exist to support automation).
- Revisit Risks Regularly
You should not follow a “set it and forget it” approach when it comes to risk. All risks should be reviewed on a regular basis and whenever there is a major change to the system, processes, mission or vision. Another time that is great to reassess risk is if there is a change to the business environment. For example, a new security breach is identified, emerging business competitors, weather pattern changes, or a family of groundhogs that recently moved in next door.
Linford & Company LLP is a Denver-based Certified Public Accounting firm comprised of former “Big Four” auditors and Information Security experts. We perform SOC 1 (f. SSAE 16), SOC 2, royalty/licensing compliance, FISMA/FedRAMP, and HIPAA compliance audits for organizations around the world. For more information on our services and how we can help your business, please feel free to contact us.