The risk assessment provides an organization with a tool to determine how, where and how much to invest in controls and security over technology. This also serves to document the risk acceptance policy of the organization as the acceptable level of risk dictates the level of controls to be implemented. It is also a requisite part of legal and regulatory compliance for Sarbanes-Oxley, HIPAA and PCI among others.
The risk assessment also serves a key role in internal processes such as business continuity planning, internal audit planning and overall enterprise risk management. This has led in many cases to the risk assessment becoming a “check the box” item. Risk assessment you ask? Yep I have one of those. However, an inadequate risk assessment may be preventing your organization from developing and executing an effective information security and technology risk management strategy.
There are many historical examples of the impact a bad risk assessment can have. For example, after World War I, the French invested in a line of fortifications on the border with Germany and Italy. Fearing a repeat of the last war, French Minister of War Andre’ Maginot designed and built a series of fixed artillery emplacements and tank barriers all facing the enemy.
However, history tells us that while Maginot correctly identified the source of the risk, (Germany), he assumed the next war would be fought the same way as the last. Maginot failed to properly assess the current threats and vulnerabilities he faced, which led to the defeat of France when the German army performed an end run and attacked France from the north instead of the east (the guns were literally pointed the wrong way!).
His perceived risk was improperly supported, which led to a massive investment in a defensive line which was ultimately ineffective.
Had Maginot studied risk assessment, he would have realized that risk (R) is the product of threat (T) and vulnerability (V), (sometimes expressed as T x V = R). Properly described, risk is the combination of the impact and likelihood of an event which impacts the mission, functions, image or reputation of an organization.
Overall risk to the organization/entity is the sum of all of the risks described in their Risk Catalog which represents the portfolio of relevant risks. Following this process can help your organization to build appropriate controls and avoid an outcome similar to Maginot. The overall process for a comprehensive risk assessment may be summarized in the following steps:
- Develop a Threat Catalog describing the universe of applicable risks;
- Determine the Relevance and Impact of each Threat to produce the Threat Value;
- Examine the Vulnerabilities and Pre-Disposing Conditions to determine the value for Vulnerability;
- Determine the Inherent Risk as the product of Threat and Vulnerability;
- Apply the Risk Treatment process applicable to the organization to the Risk Catalog to determine which risks will be Mitigated in the Controls Environment;
- Based on independent testing, determine the Design and Operating Effectiveness of the Controls Environment;
- Subtract the Controls Value from the Inherent Risk to determine the Residual Risk; and
- Compare the Residual Risk both in aggregate and for each individual risk to the Risk Tolerance of the organization
This disciplined approach will provide insight into allocation of resources and the alignment of controls with the risks to the core business of the organization.
John Rostern is managing director, Northeast, for Coalfire Systems.