Tip

An overview of the risk management process

In this installment of the Risk Management Guide, Shon Harris provides a 10,000-foot view of the risk management

    Requires Free Membership to View

process.

A big question that companies have to deal with is, "What is enough security?" This can be restated as, "What is our acceptable risk level?" These two questions have an inverse relationship. You can't know what constitutes enough security unless you know your necessary baseline risk level.

To set an enterprise-wide acceptable risk level for a company, a few things need to be investigated and understood. A company must understand its federal and state legal requirements, its regulatory requirements, its business drivers and objectives, and it must carry out a risk and threat analysis. (I will dig deeper into formalized risk analysis processes in a later article, but for now we will take a broad approach.) The result of these findings is then used to define the company's acceptable risk level, which is then outlined in security policies, standards, guidelines and procedures.

Although there are different methodologies for enterprise risk management, the core components of any risk analysis is made up of the following:

  1. Identify company assets
  2. Assign a value to each asset
  3. Identify each asset's vulnerabilities and associated threats
  4. Calculate the risk for the identified assets

Once these steps are finished, then the risk analysis team can identify the necessary countermeasures to mitigate the calculated risks, carry out cost/benefit analysis for these countermeasures and report to senior management their findings.

Senior management can then choose one of the following activities pertaining to each of the identified risks:

  • Mitigate the risk by implementing the recommended countermeasure
  • Accept the risk
  • Avoid the risk
  • Transfer the risk by purchasing insurance

Many times senior management will follow the advice of the risk analysis team and allocate the necessary funds to implement the suggested countermeasures. Countermeasures can come in many different forms: firewalls, IDS, training, written policies and procedures, and so on. What is important to understand is that no countermeasure can completely eliminate risk – there is always some risk. This is called residual risk. The question is if this residual risk is still too high or if it is below the organization's acceptable risk level.

The acceptable risk level revolves around the business impact that would be experienced if certain risks became realized. For example, employees in Company ABC are allowed to use instant messaging to communicate to each other and to customers. This is a vulnerability because it opens the door to viruses and other types of malware. The company has to weigh the necessity of this type of communication and how it relates to business needs, and determine if its benefits outweigh the corresponding risks. The company can carry out qualitative or quantitative processes to determine the business value of this type of communication and the cost of a virus infection.

 

If Company ABC is a stock brokerage firm, it may determine that time sensitive communication must be available between the customers and employees to allow the timely selling and purchasing of stocks. So the business impact of not being able to purchase and sell stocks in a restricted timeframe outweighs the business impact of a virus infection. As a software developer, Company EFG does not have a need for dynamic communication. This business risk is unacceptable and the company could choose to disallow any instant messaging traffic through its border devices. So in this example, Company ABC may choose to accept this specific risk and Company EFG may choose to avoid this risk. Risk avoidance means to not permit the actual activity that allows this risk to exist.

Company LMN may choose to implement a countermeasure for this type of situation. The company could choose to implement an internal instant messaging server, which allows their internal employees to use instant messaging. The border firewalls block instant messaging traffic from entering or leaving the network, which reduces the potential of obtaining virus infections through this medium.

I will go into all of the possible insurance policy types pertaining to information security that are available, but for now note that this is a way of transferring the burden of carrying so much risk. Currently this is the least most used way of dealing with information security risk because of its "newness" and cost, but this trend may change over time as companies are currently faced with risks that cannot be tamed with their available countermeasures.


    RISK MANAGEMENT GUIDE

-   Introduction: Understanding risk
-   An overview of the risk management process
-   How to define an acceptable level of risk
-   How to write an information risk management policy
-   How to implement an effective risk management team
-   Information risk management: Defining the scope, methodology and tools
-   How to conduct a risk analysis

 -   How to deal with risk
 

About the author
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Shon is a former engineer in the Air Force's Information Warfare unit, a security consultant and an author. She has authored two best selling CISSP books, including
CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is also the co-author of Gray Hat Hacking: The Ethical Hacker's Handbook.


 

This was first published in January 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.