Why dig into risk analysis? In our last post, we covered establishing your ISMS scope and data classification scheme. Next, we will go over risk assessments and identifying areas that can be addressed and improved via the ISMS.
Preparing for a risk assessment
Before sitting down with your team to perform an assessment, you should have two documents: a risk analysis and treatment process, and a list of information assets.
A formal risk analysis and treatment process is the way you approach scoring risks. There are many ways to approach this process; a common way to score a risk is to determine the likelihood of its occurrence and the impact of this threat on the organization should it occur. Applying this uniform process to all your risks allows for a consistent approach to analysis, and allows your organization to sort threats that have the highest score first for treatment, and working your way down – some treatments for high-risk assets may even be able to affect multiple risks. Additionally, it is a good idea to determine any existing protections in place to protect each risk addressed.
The second document, your list of information assets, allows you to evaluate these assets for any risks that may apply. Two approaches for this list are common: an asset-based approach, in which each asset is considered for potential risks; and a scenario-based approach, in which specific scenarios and their impact on assets are considered. Your assessment may include one or both approaches.
Evaluating and treating risks
During your assessment, you will consider risks to your information assets, and apply the risk analysis process to these threats. After scoring and sorting all these risks consistently within the process, you move on to treating the risks to lessen their impact. Risk treatment has four basic approaches:
Avoiding the Risk: Completely avoiding risk is most applicable in situations where the organization has no interest in a situation where this risk occurring could ever happen. This is commonly chosen in cases where the risk involves harm to personnel, massive legal liability, or danger to the continued existence of the organization. Choosing to avoid risk entirely provides a high level of safety, but also may hamper the growth of the organization if an extremely conservative approach towards risk is taken overall.
Modifying the Risk: Risk modification is generally the most common approach taken when treating the necessary risks involved with doing normal business. Modification of risk consists of creating controls that are designed to lessen the impact of the risk, should it occur. Risk modification’s goal is to reduce the risk score to an acceptable level.
Sharing the Risk: Risk sharing is accomplished by transferring the responsibility of dealing with the results of a risk occurring to a third party. Risk sharing is almost always accomplished either by purchasing an insurance policy towards the specific risk or by contractual language which places the risk within the purview of the vendor or third-party business is being done with. This approach is commonly applied to a risk where the impact to the business is very high, but the probability of occurrence is relatively low but still could plausibly occur – for example, purchasing insurance to protect physical assets in the event of a natural disaster or a fire.
Accepting the Risk: Accepting a risk involves simply doing nothing and dealing with the problem if it happens to occur. This should only be used in situations where the probability of occurrence is so low and remediation would be so expensive that any attempt to avoid the risk is a waste of resources, or the impact of the risk is very low.
Risk Analysis is important!
In our next post, we will consider potential policies written to address risks involving non-IT systems.