Categories Topics
Risk Asssessment and Management

Risk Assessment (and Management) is the process to periodically review sensitive systems, business services, and applications to ensure they meet the organization's policies and standards. The Risk Assessment process should also include a frequency of review and risk mitigation strategy. Risk Assessments should include a broad range of reviews of the internal organization and third party business services to include: Information Security, Financial, and Business Continuity Risk to name a few. The goal is to reduce and mitigate risk of the organization.

The Information Security Risk Assessment process should first start with Data Classification policy and process (e.g. classify data as Confidential, Secret, etc.) used to determine value of information assets. A Data Classification scheme will help determine the level of controls required to protect information assets.

There should also be a methodology to determine the Likelihood (i.e. probability of occurrence of event) based on a number of factors to include: volume of data shared, frequency of data transferred, internet access to systems, etc.  Organizations will also assess the business service Impact to a company (e.g. financial exposure, brand damage, etc.) based on the Data Classification. The higher the Data Classification of the information, the bigger the impact to the organization in the event of a data breach. Using a risk matrix, the inherent risk can be determined by measuring the Likelihood AND Impact: the higher the Likelihood and the higher the Impact would correlate to higher risk. Risk can also be reduced (also known as "residual risk") by implementing compensating controls to address vulnerabilities and reduce risk.

Finally, Risk Assessments should be performed periodically on assets, services and processes to ensure confidentiality, integrity and availability of information using a defined framework or methodology (e.g. ISO 27001, COBIT, etc.).  A framework can help ensure security controls are broad and effective to meet security best practices, organizational policies and regulatory requirements. Higher risk business services should require more frequent assessments than lower risk services to ensure vulnerabilities and risks are mitigated in a more timely manner.

Topic Category
Information Security Program
News Articles
UK infrastructure failing to meet the most basic cybersecurity
NSA failed to implement security measures, says damning reportnakedsecurity.sophos.com6/21/2017
Survey: 75 percent of companies have significant risk exposurewww.scmagazine.com6/11/2015
Cyber Security Ranked Third in Lloyd’s of London Risk Indexwww.tripwire.com8/22/2013
PwC report highlights some of the biggest global market risks for 2013www.zdnet.com4/4/2013
Akamai's chief security officer talks psychology behind risk managementwww.zdnet.com3/1/2013
Big Data success depends on better risk management practices like FAIR, say conference panelistswww.zdnet.com2/15/2013
HP execs debate reality of hacker expertise; lament most businesses don't understandwww.zdnet.com2/2/2013
Free Risk Indexing Tool Offers Start For Assessmentswww.darkreading.com11/16/2012
Financial trading security should take a 'nuclear' approachwww.infosecurity-magazine.com11/12/2012
3 Ways To Get Executives To Listen About Riskwww.darkreading.com11/2/2012
How Does Mobility Change IT Risk Management?www.darkreading.com10/26/2012
Revised Guidance on Payment Processor Relationshipswww.fdic.gov1/31/2012
White Papers
Computer trading and systemic risk: a nuclear
Governance of Enterprise Security: CyLab 2012 Reportwww.rsa.com5/16/2012
Information Risk Management Policy
NIST SP 800-30 Revision 1 Guide for Conducting Risk AssessmentsNIST9/18/2012
NIST SP 800-37 Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle ApproachNIST6/5/2014
Managing Information Security Risk: Organization, Mission, and Information System ViewNIST3/1/2011