Risk assessments can be performed on any application, function, or process within your organisation. But no organisation can realistically perform a risk assessment on everything. That’s why the first step is to develop an operational framework that fits the size, scope, and complexity of your organisation. This involves identifying internal and external systems that are either critical to your operations, and / or that process, store, or transmit legally protected or sensitive data. Then you can create a risk assessment schedule based on criticality and information sensitivity. The results give you a practical (and cost-effective) plan to protect assets and still maintain a balance of productivity and operational effectiveness.
Once you determine your framework, you’re ready to embark on your individual risk assessments. When going through the process it’s important to keep in mind that there are different categories of risk that may affect your organisation. Here’s what they are.
- Strategic risk is related to adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the institution’s strategic goals.
- Reputational risk is related to negative public opinion.
- Operational risk is related to loss resulting from inadequate or failed internal processes, people, and systems, or from external events.
- Transactional risk is related to problems with service or product delivery.
- Compliance risk is related to violations of laws, rules, or regulations, or from noncompliance with internal policies or procedures or business standards.
Now let’s look at the basic steps of a risk assessment.
#1. Characterise the System (Process, Function, or Application)
Characterising the system will help you determine the viable threats. This should include (among other factors):
- What is it?
- What kind of data does it use?
- Who is the vendor?
- What are the internal and external interfaces that may be present?
- Who uses the system?
- What is the data flow?
- Where does the information go?
#2. Identify Threats
There are some basic threats that are going to be in every risk assessment, however depending on the system, additional threats could be included. Common threat types include:
- Unauthorised access (malicious or accidental). This could be from a direct hacking attack / compromise, malware infection, or internal threat.
- Misuse of information (or privilege) by an authorised user. This could be the result of an unapproved use of data or changes made without approval.
- Data leakage or unintentional exposure of information. This includes permitting the use of unencrypted USB and / or CD-ROM without restriction; deficient paper retention and destruction practices; transmitting Non-Public Personal Information (NPPI) over unsecured channels; or accidentally sending sensitive information to the wrong recipient.
- Loss of data. This can be the result of poor replication and back-up processes.
- Disruption of service or productivity.
This step is done without considering your control environment. Factoring in how you characterised the system, you determine the impact to your organisation if the threat was exercised. Examples of impact ratings are:
- High – Impact could be substantial.
- Medium – Impact would be damaging, but recoverable, and / or is inconvenient.
- Low – Impact would be minimal or non-existent.
#4. Analyse the Control Environment
You typically need to look at several categories of information to adequately assess your control environment. Ultimately, you want to identify threat prevention, mitigation, detection, or compensating controls and their relationship to identified threats. A few examples include:
- Organisational Risk Management Controls
- User Provisioning Controls
- Administration Controls
- User Authentication Controls
- Infrastructure Data Protection Controls
- Data Center Physical & Environmental Security Controls
- Continuity of Operations Controls
Control assessment categories may be defined as:
- Satisfactory – Meets control objective criteria, policy, or regulatory requirement.
- Satisfactory with Recommendations – Meets control objective criteria, policy, or regulatory requirement with observations for additional enhancements to existing policies, procedures, or documentation.
- Needs Improvement – Partially meets control objective criteria, policy, or regulatory requirement.
- Inadequate – Does not meet control objective criteria, policy, or regulatory requirement.
#5. Determine a Likelihood Rating
Now, you need to determine the likelihood of the given exploit taking into account the control environment that your organisation has in place. Examples of likelihood ratings are:
- High – The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.
- Medium – The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.
- Low – The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.
#6. Calculate your Risk Rating
Even though there is a ton of information and work that goes into determining your risk rating, it all comes down to a simple equation:
Impact (if exploited) * Likelihood (of exploit in the assessed control environment) = Risk Rating
Some examples of risk ratings are:
- Severe – A significant and urgent threat to the organisation exists and risk reduction remediation should be immediate.
- Elevated – A viable threat to the organisation exists, and risk reduction remediation should be completed in a reasonable period of time.
- Low – Threats are normal and generally acceptable, but may still have some impact to the organisation. Implementing additional security enhancements may provide further defense against potential or currently unforeseen threats.
Regular risk assessments are a fundamental part any risk management process because they help you arrive at an acceptable level of risk while drawing attention to any required control measures. The risk assessment process is continual, and should be reviewed regularly to ensure your findings are still relevant.