The risk assessment provides an organization with a tool todetermine how, where and how much to invest in controls andsecurity over technology. This also serves to document the riskacceptance policy of the organization as the acceptable level ofrisk dictates the level of controls to be implemented. It is also arequisite part of legal and regulatory compliance forSarbanes-Oxley, HIPAA and PCI among others.

The risk assessment also serves a key role in internal processessuch as business continuity planning, internal audit planning andoverall enterprise risk management. This has led in many cases tothe risk assessment becoming a “check the box” item. Riskassessment you ask? Yep I have one of those. However, an inadequaterisk assessment may be preventing your organization from developingand executing an effective information security and technology riskmanagement strategy.

There are many historical examples of the impact a bad riskassessment can have. For example, after World War I, the Frenchinvested in a line of fortifications on the border with Germany andItaly. Fearing a repeat of the last war, French Minister of WarAndre' Maginot designed and built a series of fixed artilleryemplacements and tank barriers all facing the enemy.

However, history tells us that while Maginot correctlyidentified the source of the risk, (Germany), he assumed the nextwar would be fought the same way as the last. Maginot failed toproperly assess the current threats and vulnerabilities he faced,which led to the defeat of France when the German army performed anend run and attacked France from the north instead of the east (theguns were literally pointed the wrong way!).

His perceived risk was improperly supported, which led to amassive investment in a defensive line which was ultimatelyineffective.

Had Maginot studied risk assessment, he would have realized thatrisk (R) is the product of threat (T) andvulnerability (V), (sometimes expressed as T xV = R). Properly described, risk is thecombination of the impact and likelihood of an event which impactsthe mission, functions, image or reputation of an organization.

Overall risk to the organization/entity is the sum of all of therisks described in their Risk Catalog which represents theportfolio of relevant risks. Following this process can help yourorganization to build appropriate controls and avoid an outcomesimilar to Maginot. The overall process for a comprehensive riskassessment may be summarized in the following steps:

1. Develop a Threat Catalog describing the universe ofapplicable risks;
2. Determine the Relevance and Impact of eachThreat to produce the Threat Value;
3. Examine the Vulnerabilities and Pre-DisposingConditions to determine the value forVulnerability;
4. Determine the Inherent Risk as the product ofThreat and Vulnerability;
5. Apply the Risk Treatment process applicable to theorganization to the Risk Catalog to determine which riskswill be Mitigated in the ControlsEnvironment;
6. Based on independent testing, determine the Design andOperating Effectiveness of the ControlsEnvironment;
7. Subtract the Controls Value from the InherentRisk to determine the Residual Risk; and
8. Compare the Residual Risk both in aggregate and foreach individual risk to the Risk Tolerance of theorganization

This disciplined approach will provide insight into allocationof resources and the alignment of controls with the risks to thecore business of the organization.

John Rostern is managing director,Northeast, for Coalfire Systems.