Risk is a factor of probability (likelihood) and impact (loss)—specifically, the probability that a particular incident will occur and the impact to the business when that happens. Incidents include, but are not limited to, theft or loss of equipment, unauthorized data access, denial of service, and unauthorized data manipulation. A brief overview of the risk management process follows:
Step 1: Identify and categorize assets.
The first step is identification of assets, physical and logical. This includes hardware, software, data, virtual hosts, and any other information resources. The owners and custodians should be identified during the inventory process, and information systems and data should be categorized based on their level of sensitivity and criticality. This step may also involve determination of appropriate controls based on regulation and security policy.
Step 2: Identify threats and vulnerabilities.
A threat is anything that has the potential to negatively impact information systems and consequently the business processes supported by them. Threats may be human, environmental (or natural), or electronic in nature. Human threats range from criminal hackers to employees sharing login credentials. Environmental threats include fire, water, power failure, and weather events. Electronic threats include malware, software defects, and automated attacks.
For every identified threat, there will be associated vulnerabilities. Some vulnerabilities, such as defects in software, may be easily identified. Others may be specific to a particular industry or organization, or even to a particular host or data set.
Step 3: Assess risk.
Perform a risk assessment by evaluating the likelihood that a threat will turn into an actual security event and determining the impact should that occur. One way to estimate probability is by determining if the appropriate security controls are applied. For example, the likelihood of malware is significantly lessened if all hosts have antimalware software installed, the software is updated frequently, and scans are performed regularly. Impact, such as loss of reputation, funds, sales, employee productivity, or equipment, should be determined by management.
Both probability and impact are then assigned values of low, medium, or high and a risk rating is obtained by plugging those values into a risk matrix.
Step 4: Address risk.
Risks are typically addressed in order of priority, and an organization may choose to accept the risk and do nothing, avoid the risk by discontinuing the risky behavior, mitigate the risk by applying security controls, or transfer the risk such as through insurance or outsourcing. These decisions will be based on business needs and the organization’s risk appetite, which is the amount of risk an organization is willing to accept.
Although it is possible to transfer some risk through outsourcing, it may not be possible to transfer risk completely, and it is not possible to transfer legal liability. For example, an organization may choose to transfer the risk of theft of computing equipment by contracting with a third-party data center. If equipment is then stolen from the data center, the organization successfully avoided that risk. If, on the other hand, the theft of equipment led to a data breach that was in violation of the organization’s contract or legal regulations, the organization retains that liability.
Step 5: Monitor Risk
Monitoring is performed to ensure that mitigation (or other risk management decisions) is effective. Organizations subject to legislation or industry regulation are generally required to engage in some type of risk management activities. Even those that do not have requirements can greatly benefit from it.
More information on risk management can be found by reviewing recognized risk management standards such as the following:
- ISO/IEC 31000 Risk Management Standard
- NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems
- COSO Enterprise Risk Management Integrated Framework
Published on Fri 21 November 2003 by Mal Torrance in Security with tag(s): risk management