Ready to Start Your Career?

A Primer on Risk Management for Information Security

foxpro 's profile image

By: foxpro

January 6, 2017

risk-assessmentCyber security is the most talked about topic these days. There is a security breach every second on this planet. Security firms state that 99% computer users are vulnerable to exploit kits (software vulnerabilities). You only have to read the everyday headlines to realize how data breach, spoof emails, and ransomware are impacting individuals, corporations, and governments. While organizations rely on information technology to conduct business they need to start building frameworks to stay safe and prepared for the eventual threat scenario because there is no such thing as 100% secure anymore.Here is a primer on risk management to incorporate in your organization and daily routine to stay safe and secure.1. Build a security mindsetFirst and foremost build a security mindset throughout your organization.Understand that social engineering is the most common security risk. Per Wikipedia - Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information.To mitigate this security risk, every person employees, contractors, consultants associated with the company needs to pay attention to security and understand the implications.Always use caution when sharing sensitive information. Following a "need-to-know" policy is the best way to keep sensitive information confined to the relevant people to accomplish the job.Keep the desk clear of any sensitive information. I have observed on so many occasions, employees carelessly leave sensitive information lying on their desk free for preying eyes to consume at banks, government, and private organizations.Don't entertain calls for passwords and sensitive information without due verification. The easiest security breach is to call an employee and ask for their password by masquerading as IT helpdesk.Be cautious downloading email attachments from known and unknown contacts. Pay careful attention to the type of file being downloaded and the purpose of the file before launching the file. Unwanted and dangerous programs can easily be hidden in images, videos, and javascript on web pages.The security mindset is the lynchpin that keeps the rest of the security processes together.2. Conduct risk assessmentLet me reiterate, there is no such thing as "100% secure" anymore. It is first and foremost important to understand what you want to protect.Ensure you have management buy-in before starting a risk assessment. Not much can be achieved if your company management is not concerned about and willing to take the right actions to implement security practices.Once you have the management buy-in conduct an assessment of company assets, both physical and virtual including employees and understand the areas that need the most attention and have the highest impact on the business of the company. This first step of the process is known as risk framing.You will need to define the boundaries for this risk assessment effort. A successful risk assessment is bound by the scope and has a definite purpose. The question to ask while defining the purpose is what does the management need to know to make the right decisions. A good way to start is by picking specific areas for risk assessment - physical assets, organizational processes, company mission and vision, employees, etc.A risk is just a probability of a threat scenario happening at some level of seriousness. The probability of a fire is very low for a normal business but the impact is high. Similarly, the probability of a power outage is higher than fire but the seriousness of impact is lessened.A simple way to begin is by creating a list of relevant items based on threat scenarios, understand the impact and the probability of such an event happening.3. Prioritize the risksNow that you have a list of risks the next step is to prioritize them by impact and cost. There are going to be tradeoffs and you will need to make tough decisions on what risk to accept and the ones to mitigate.The measure of impact can be a qualitative or quantitative figure of value. The important thing is to have a clear understanding of the measures and their application for each threat scenario.The probability or likelihood of occurrence of a threat can be measured by historical evidence, empirical data and other sources of information. The cost is the sum of all aspects of operational, risk mitigation or control and administrative costs associated with the risk. The cost usually a monetary value is derived using various methods suggested by risk management methodologies.The basic principle in making a decision to accept or mitigate risk is to keep the cost of managing the risk lower than the value of the asset. In case the cost is higher than the value of the asset, you may want to accept the risk without any mitigation or plan for only monitoring the risk and revisit the mitigation at a later assessment.4. Implement processes to manage the risksOnce the assessment results are out and risks prioritized it is time to implement processes and controls to manage the shortlisted risks.This stage can be a bit overwhelming at first because each process and control will need to go through analysis, design, implement, and monitoring stages to be effective at controlling the risks.The system development lifecycle will guide you through this process and help reduce the time to implement required security processes and controls.5. Verify the implemented processesAll processes and controls implemented should have clearly defined qualitative, quantitative or both measures.A weekly, monthly or quarterly report of the measures and comparison against a baseline will enable the management to assess the effectiveness of each process and control and provide guidance on improvements.6. Conduct regular audits and keep improving the processesWhile measures provide a way to assess the effectiveness of processes and controls, there is a need to also verify if adequate coverage and adherence to the process and controls are established after the organizational risk assessment.Audits can be conducted internally or by hiring external consultants. A mix of internal and external audits at regular cadence is best and enables the organization to continue to identify gaps and fix them as early as possible.There are many risk assessment methodologies and guidance available per domain area and size of organizations. The idea here is to not get bogged down with endless analysis of different methodologies but by picking the best available guidance and getting started.An established regular cadence of risk assessment will help your organization stay prepared for threat scenarios and help build trust with customers.To learn more about conducting risk assessment refer to the NIST 800-30 revision 1 publication.
Schedule Demo