A Primer on Risk Management for Information Security

January 6, 2017 | Views: 4011

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Cyber security is the most talked about topic these days. There is a security breach every second on this planet. Security firms state that 99% computer users are vulnerable to exploit kits (software vulnerabilities). You only have to read the everyday headlines to realize how data breach, spoof emails, and ransomware are impacting individuals, corporations, and governments. While organizations rely on information technology to conduct business they need to start building frameworks to stay safe and prepared for the eventual threat scenario because there is no such thing as 100% secure anymore.

Here is a primer on risk management to incorporate in your organization and daily routine to stay safe and secure.

1. Build a security mindset

First and foremost build a security mindset throughout your organization.

Understand that social engineering is the most common security risk. Per Wikipedia – Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.To mitigate this security risk, every person employees, contractors, consultants associated with the company needs to pay attention to security and understand the implications.

Always use caution when sharing sensitive information. Following a “need-to-know” policy is the best way to keep sensitive information confined to the relevant people to accomplish the job.

Keep the desk clear of any sensitive information. I have observed on so many occasions, employees carelessly leave sensitive information lying on their desk free for preying eyes to consume at banks, government, and private organizations.

Don’t entertain calls for passwords and sensitive information without due verification. The easiest security breach is to call an employee and ask for their password by masquerading as IT helpdesk.

Be cautious downloading email attachments from known and unknown contacts. Pay careful attention to the type of file being downloaded and the purpose of the file before launching the file. Unwanted and dangerous programs can easily be hidden in images, videos, and javascript on web pages.

The security mindset is the lynchpin that keeps the rest of the security processes together.

2. Conduct risk assessment

Let me reiterate, there is no such thing as “100% secure” anymore. It is first and foremost important to understand what you want to protect.

Ensure you have management buy-in before starting a risk assessment. Not much can be achieved if your company management is not concerned about and willing to take the right actions to implement security practices.

Once you have the management buy-in conduct an assessment of company assets, both physical and virtual including employees and understand the areas that need the most attention and have the highest impact on the business of the company. This first step of the process is known as risk framing.

You will need to define the boundaries for this risk assessment effort. A successful risk assessment is bound by the scope and has a definite purpose. The question to ask while defining the purpose is what does the management need to know to make the right decisions. A good way to start is by picking specific areas for risk assessment – physical assets, organizational processes, company mission and vision, employees, etc.

A risk is just a probability of a threat scenario happening at some level of seriousness. The probability of a fire is very low for a normal business but the impact is high. Similarly, the probability of a power outage is higher than fire but the seriousness of impact is lessened.

A simple way to begin is by creating a list of relevant items based on threat scenarios, understand the impact and the probability of such an event happening.

3. Prioritize the risks

Now that you have a list of risks the next step is to prioritize them by impact and cost. There are going to be tradeoffs and you will need to make tough decisions on what risk to accept and the ones to mitigate.

The measure of impact can be a qualitative or quantitative figure of value. The important thing is to have a clear understanding of the measures and their application for each threat scenario.

The probability or likelihood of occurrence of a threat can be measured by historical evidence, empirical data and other sources of information. The cost is the sum of all aspects of operational, risk mitigation or control and administrative costs associated with the risk. The cost usually a monetary value is derived using various methods suggested by risk management methodologies.

The basic principle in making a decision to accept or mitigate risk is to keep the cost of managing the risk lower than the value of the asset. In case the cost is higher than the value of the asset, you may want to accept the risk without any mitigation or plan for only monitoring the risk and revisit the mitigation at a later assessment.

4. Implement processes to manage the risks

Once the assessment results are out and risks prioritized it is time to implement processes and controls to manage the shortlisted risks.

This stage can be a bit overwhelming at first because each process and control will need to go through analysis, design, implement, and monitoring stages to be effective at controlling the risks.

The system development lifecycle will guide you through this process and help reduce the time to implement required security processes and controls.

5. Verify the implemented processes

All processes and controls implemented should have clearly defined qualitative, quantitative or both measures.

A weekly, monthly or quarterly report of the measures and comparison against a baseline will enable the management to assess the effectiveness of each process and control and provide guidance on improvements.

6. Conduct regular audits and keep improving the processes

While measures provide a way to assess the effectiveness of processes and controls, there is a need to also verify if adequate coverage and adherence to the process and controls are established after the organizational risk assessment.

Audits can be conducted internally or by hiring external consultants. A mix of internal and external audits at regular cadence is best and enables the organization to continue to identify gaps and fix them as early as possible.

There are many risk assessment methodologies and guidance available per domain area and size of organizations. The idea here is to not get bogged down with endless analysis of different methodologies but by picking the best available guidance and getting started.

An established regular cadence of risk assessment will help your organization stay prepared for threat scenarios and help build trust with customers.

To learn more about conducting risk assessment refer to the NIST 800-30 revision 1 publication.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Good article; very true that nothing is 100% secure. In any organization of size it is NOT a matter of “if,” but “when.”

  2. Thank you very much for explaining a complex subject of risk management in simple terms

  3. I like your article. It is very informative and really makes you think about how we are all vulnerable in the cyber world.

  4. I’m starting to study for my CISSP. I like the emphasis you make on “building the security mindset” and that nothing is 100% secure. Thanks

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?