This tip is excerpted from Chapter 3 of The Definitive Guide to Security Inside the Perimeter, written by Rebecca Herold and published by Realtimepublishers.com. Read the entire e-book for free.
Since the introduction of risk analysis and assessment, there have been a wide range of methodologies and technologies developed for an even wider range of purposes. Some of the approaches are qualitative in nature, using metrics based upon information assets, threats, vulnerabilities, and safeguards and controls. Other methods are quantitative in nature, taking into consideration the monetary value of information assets, threat frequencies, threat exposure factors, and safeguard and control costs.
Most quantitative approaches are labor intensive and require the assessment/analysis facilitator to be a subject matter expert to most accurately determine the values of the risks. Unfortunately, a recurring weakness of risk assessments/analyses is that they usually fail to effectively communicate the discovered risks to business leaders, information owners, and decision-makers. Additionally, the accuracy of risk assessments/analyses is often in question, providing little value for business leaders and their decision-making process.
Automated tools can significantly reduce the labor and, to an extent, the inaccuracy of the monetary guesses associated with each risk. However, many businesses, frustrated with the cost and/or hard-to-use tools, have created their own in-house risk assessment/analysis methodologies and procedures. This process typically results in unstructured, uncoordinated methods for performing a risk assessment/analysis and usually does not provide adequate consideration of all risks at all levels of the organization.
Reducing information security risks is a necessity in today's business environment. Any type of internal or external threat, risk or vulnerability can quickly impact a well-running organization in many ways, such as losing a competitive advantage, losing customers, missing deadlines or orders, bad publicity, regulatory noncompliance resulting in fines and penalties, or costly civil suit judgments. Performing a risk assessment demonstrates your company is demonstrating due diligence for the decision-making processes throughout your organization.
To perform a risk analysis and assessment that will be useful to your organization, you must first define the risks. There are many professional and industry associations and government agencies that have published risk management and analysis guidance. Groups that have published risk management and analysis guidance include:
- The American Institute of Certified Public Accountants (AICPA)
- The Institute of Internal Auditors (IIA)
- The Information Security Forum (ISF)
- The American Society of Industrial Security (ASIS)
- The Information Systems Audit and Control Association (ISACA)
- The Information Systems Security Association (ISSA)
- The International Information Security Foundation (IISF)
- The International Organization for Standardization (ISO)
- The National Association of Corporate Directors (NACD)
- The Organization for Economic Cooperation and Development OECD
- The United States Department of Homeland Security Critical Infrastructure Assurance Office (CIAO)
- The United States President's Commission on Critical Infrastructure Protection (PCCIP)
MULTI-DIMENSIONAL ENTERPRISE-WIDE SECURITY
Risk assessment and analysis methodologies
The goal of an information security policy
Audit and validation
Divide and conquer
An action plan
ABOUT THE AUTHOR:
Rebecca Herold is currently an information privacy, security and compliance consultant, author and instructor with her own company, Rebecca Herold, LLC. Rebecca has provided information security, privacy and regulatory services to organizations from a wide range of industries. She has over 15 years of information privacy, security and compliance experience. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the 1998 CSI Information Security Program of the Year Award.
This was first published in January 2006