Risk assessment deals with the threats and vulnerabilities of an organization, and how the loss of information or equipment would impact them. This process identifies and prioritizes weaknesses that could be exploited. Their main purpose is to inform management of the risks the organization faces, which of those need to be addressed, and the cost associated in both dollars and reputation.
How Do You Conduct a Risk Assessment?A good place to start a discussion about risk assessments is with the National Institute of Standards and Technology. NIST is a non-regulatory federal agency within the US Department of Commerce that comes up with standards and guidelines for the Federal Government. They have published a set of guidelines called NIST Special Publication 800-30 that is titled "Guide for Conducting Risk Assessments." Although it is focused on Federal information systems these are guidelines that can be used in all organizations.
According to NIST, there are four steps involved in conducting a risk assessment:
- Prepare for the Assessment
- Conduct the Assessment
- Communicate Results
- Maintain the Assessment
Step 1: Prepare for the AssessmentDuring this phase the purpose and scope of the assessment is decided upon. It is here that you determine who is involved, what threats or vulnerabilities are to be addressed, and what sources of information are to be used. This allows you to develop scenarios that will help evaluate how you will deal with those risks if they occur. All equipment fails at some point, for instance a hard drive in a critical server. You should create a plan for how you are going to manage that risk and the best way to respond to that event.
This is also a good time to provide a reality check on what risks to focus on. This will help determine where you should use your resources as well as what risks are most likely to occur. For example, while the threat of a hacker injecting code into your SQL database is likely, the risk of a hurricane destroying your building in Montana is pretty low. So it seems reasonable to put more effort into preventing your database from being hacked.
Step 2: Conduct the AssessmentNow you need to perform an assessment of the risks your organization faces from a security standpoint. Some simple ways to start that process are:
- Speak with the directors or department heads and ask them what information they feel needs additional security, and what they think are current vulnerabilities.
- Review your network infrastructure, then research known vulnerabilities and determine what countermeasures you can take.
- Perform a physical assessment of your building(s) and evaluate what risks need to be mitigated (i.e. sprinklers in the server room).
One of the most important tasks in the risk assessment is to prioritize. Not all risks and vulnerabilities should be weighed equally because not all events have the same likelihood of occurrence. Also, there are some risks that your organization can accept, while others would be catastrophic. One of the keys to this is identifying both assets and threats. You must first determine what it is that you need to protect and then identify what could possibly happen to those assets.
Then those risks need to be analyzed in terms of cost or severity. You can assess the risk as either quantitative (cost-based and objective) or qualitative (opinion-based and subjective). Either approach is valid and should be determined by organizational culture and the best way to communicate with management. Remember, a risk assessment provides an organization with a picture of its current situation and allows decision-makers to determine how best to respond to various scenarios.
Quantitative assessments focus on dollar amounts and use formulas for single loss expectancy (SLE), annual loss expectancy (ALE), and annualized rate of occurrence (ARO). This is really effective in determining the cost-benefit analysis of various responses to risk. It is also easy to do for physical assets, such as a lost laptop. You figure how much a laptop costs, multiply that by how many laptops you expect to lose over the course of a year, and you get a dollar figure for the year. Based on that figure, you can determine the best ways to mitigate that particular issue.
On the other hand, a qualitative assessment is best used for things that do not quite have a dollar value. Consider the loss of a file server with unreliable backups. One of the files lost was the organizational history. Perhaps this file contained all of the different variations of the company's mission statement as it changed over the years. Even though this may be a heartfelt loss, it does not have to do with the business of the organization, and thus you do not need to put a dollar figure to the loss.
Step 3: Communicate ResultsThis is where the assessment results are shared. It is important that decision-makers have all of the risk-related information they need in order to make the best decisions for the organization. Communicating and sharing the results can be accomplished in a variety of ways, such as executive briefings, risk assessment reports, or even an internal web dashboard. These can be as formal or informal as the organizational culture dictates, but they must provide a prioritized list of risk and guidance with response strategy.
Step 4: Maintain the AssessmentNow that you have done all of that hard work and presented the fruits of your labor, you must keep the information current. There should be a process to monitor the risk factors identified in the risk assessment on an ongoing basis. Things change all the time in a network and the assessment needs to be updated to reflect those changes. By performing risk monitoring you can determine the effectiveness of the proposed risk responses, identify changes to the system that will impact exposure to risk, and verify compliance with security polices.
Risk assessment is the process of evaluating and cataloging threats, vulnerabilities, and weaknesses that exist in the network systems used by an organization. Once known, the process of implementing and maintaining a secure network through policies, standards, and guidelines can begin. But that is a topic for another day.