Enterprise Risk Management (ERM) is fundamental for any organisation. Before any organisation can protect their assets, they must identify them and their potential risks and vulnerabilities.
There are a number of frameworks which can be used in risk identification and assessment, one such framework is the NIST’s (National Institute of Standards and Technology) Special Publication 800-37 “Guide for Applying the Risk Management Framework to Federal Information Systems”.
The NIST SP 800-37 (NIST, 2010) outlines 6 necessary steps to be carried out in their Risk Management Framework (RMF), below is a brief synopsis of these steps:
• Categorize the asset based on an impact analysis
• Select a baseline set of security controls based on the security categorisation and risk
• Implement the security controls
• Assess the security controls
• Authorize operation based on the risks
• Monitor the security controls
The US Department of Commerce also released another special publication entitled NIST SP 800-39 “Managing Information Security Risk” to provide guidance for an integrated, organisation wide program for managing information risk.
Before we look at the risk assessment process in detail it is imperative that understand some common terms
Asset: People, property and information
Vulnerability: a weakness or gap in security, a vulnerability is the susceptibility of an asset being exploited.
Threat: something that can exploit a vulnerability
Risk: The potential for loss, damage or destruction of an asset (as a result of a threat exploiting a vulnerability)
Risk appetite: Risk appetite can be defined as ‘the amount and type of risk which an organisation is prepared to take in order to carry out its functions and business objectives.
Due Care: Due care is the care a “reasonable person” would exercise under given circumstances.
Due Diligence: Due Diligence is when something is done to avoid harm to other persons or their property. Due diligence leads to due care!
Do we have to perform a risk assessment
Specific sectors require mandatory risk assessments (Healthcare etc.) and although systems to be secure and that this is proven to independent auditors, they do not instruct organisations how to assess or secure their assets.
This together with new Privacy legislation, General Data Protection Regulations (GDPR) coming into effect along with mandatory breach reporting, fines and other penalties it begs one to wonder is any organisation free from having to do a risk assessment as if it is not carried out, could an owner or director claim that they were diligent and exercised due care?
What is the function of a risk assessment?
Risk assessments are performed to allow organisations to identify and assess their security posture with the overall goal of identifying any areas of concern and to remediate these areas.
This is ongoing as with each assessment, depending on the organisations risk appetite, risks are identified and either mitigated to some degree or accepted altogether.
A comprehensive risk assessment also helps an organisation to determine values for assets and data throughout the organisation. Values must be identified in order for management to accurately assess the risks accordingly.
Enterprise Risk Assessment Approach
A problem with Security in most organisations involving Data and information systems is that it is seen to be the responsibility of the IT or network staff due to the level of knowledge of particular systems and processes, therefore risk assessments have also been carried out with these same departments with little or no input from other employees or departments.
How can a proper risk assessment be carried out unless the whole landscape is assessed? This is where Enterprise Risk Assessments come in, Organisations must perform risk assessments which include all stakeholders and ensure that all aspects are assessed. This includes business processes, Hardware and Software implementations, Employee knowledge and awareness training.
Risk assessment Methodology
A Risk assessment methodology seeks to analyse the relationship between assets, vulnerabilities and their threats.
There are several different methodologies but these can generally all be classified by two distinct categories: quantitative and qualitative analysis.
A quantitative analysis seeks to identify an actual numerical figure, whereas a qualitative analysis produces results which are descriptive in nature.
Qualitative Risk assessments are generally carried out when (ISC2, 2015)
- The risk assessors available for the organization have limited expertise in quantitative risk assessment; that is, assessors typically do not require as much experience in risk assessment when conducting a qualitative assessment.
- The time frame to complete the risk assessment is short.
- Implementation is typically easier.
- The organization does not have a significant amount of data readily available that can assist with the risk assessment, and as a result, descriptions, estimates, and ordinal scales (such as high, medium, and low) must be used to express risk.
- The assessors and team available for the organization are long-term employees and have significant experience with the business and critical systems.
In general fully quantitative risk assessments may not be possible therefore it is not uncommon for a risk assessment to be conducted using both qualitative and quantitative methods.
Whichever method is used, threats are identified and mitigation methods are identified, these methods may or may not be implemented depending on a Cost benefit analysis and the risk appetite of the organisation.
Several risk mitigation methods are available as follows:
Risk Acceptance: do nothing, it is possibly cheaper to leave the asset unprotected rather than protect it.
Mitigate the Risk: lower it to an acceptable level, this does not meant there will be no residual risk, just that the risk has been decreased to an acceptable level.
Transfer the Risk: insure against the chance of the risk arising.
Risk Avoidance: avoid the risk altogether and possibly the project as the risk is too great.
ISC2. (2015). Official (ISC)2 training Guide CISSP CBK (4th ed.). ISC2.
NIST, U. D. of C. (2010). Guide for Applying the Risk Management Framework to Federal Information Systems. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf