Sometimes we’ll talk with clients and they feel like they don’t know where to begin in managing information security. A great first step would be a Risk Assessment. A risk assessment recommends treatment of discovered risks and then manages remediation of gaps in risk controls.
You will be looking at your organization holistically – security infrastructure, technology, people, and processes, to compile a list of organizational risks based on potential business impact. This enables executive management, to better understand the importance of information security remediation steps, because they’ll “get” the business impact. This also enables Operations/IT, to select appropriate controls and gain funding from executive management because everyone is on the same page when it comes to the impact on the business.
When you start thinking in terms of what is the likelihood of a threat occuring to a particular asset, and what would be the impact to the organization if that asset was compromised (confidentiality, integrity, or availability), it make more sense.
You’ll pair the vulnerability with an applicable threat. Each risk will have an impact rating associated with it. The likelihood that the threat/vulnerability pairing could occur will be determined and rated. This is your Risk Register.
Next comes the Risk Treatment Plan. You can choose to Reduce the Risk, Transfer the Risk, Avoid the Risk, or Accept the Risk. Controls can be implemented to reduce the risk. Sustainability of the controls should be considered. Finally, a description of the threat/vulnerability is documented that would exist after the proposed controls were implemented.
So it really makes sense to do a Risk Assessment first. Otherwise you may be implementing controls that aren’t actually protecting the most important business assets, or implementing solutions that may be over-controlling assets or under-controlling assets.
Nancy Sykora
Sr. Account Executive