Risk assessment (RA) is an information gathering exercise that is an enabler for informed decision-making for robust information security. From a business perspective, ROI from information security is an important business concern, and risk assessment helps in ascribing an ROI value to information security. In fact, quantitative risk assessments allow for exact figures to be calculated.
IT risk assessment is mandatory under all compliance standards, including PCI DSS, HIPAA, SOX or the IT Act in India. By and large, most standards and regulations start with risk assessment, making it the fundamental stepping stone to attaining compliance. Even PCI DSS, the only standard that hitherto had no such stipulation, has now made risk assessment mandatory with version 2.0.
Risk assessment is also important from the legal angle. As no organization can be 100% secure, risk assessment plays an important role in establishing due diligence. For this, under US laws, it must be demonstrated that risk assessment has been conducted and risks so defined have been mitigated. In India, under the IT Rules 2011 and section 43A of the ITAA 2008, organizations are required to have set reasonable security practices in place.
Best practices for a risk assessment exercise
There are a number of factors to consider while conducting risk assessment. These are:
1) Start with risk assessment: IT risk assessment must be carried out right at the beginning of any information security exercise; be it for the enterprise, for application security or any other unit falling under the purview of the exercise. Defining controls prior to conducting a risk assessment is not recommended. This practice will not guarantee complete coverage. When performed first, an information security risk assessment helps to comprehensively manage risk and effectively define controls based on what is most important and where it counts most.
2) Keep the scope in perspective: The objective and scope of the risk assessment should be very clear and its intent should be genuine. For instance when conducting risk assessment for PCI compliance, the exercise will be different in its workflow than when risk assessment is conducted for ISO 27005. This is because the assets, scope and the associated risks change. Risk assessments cannot be used across standards without adjusting for this change.
A risk assessment done for cosmetic purposes is wasted effort. Take for instance cases where templates are merely downloaded and applied with no thought to organizational requirements or asset definition, merely to pass audits under ISO 27001 or PCI DSS.
3) Use a structured methodology: Using a structured information security risk assessment methodology is recommended. Organizations may develop their own methodologies, taking bits from multiple standards. While mixing and matching is fine, it comes with a very steep learning curve.
Adopting parts at random from various risk assessment standards undermines the effectiveness of those parts and their applicability in a given context. Such measures may mature over a period of months or years, but may never give results comparable to existing standards.
4) Benchmark and compare RA: Risk assessments should be benchmarked against formal, structured methodologies such as ISO 27005, OCTAVE or NIST-SP 800-30. If a standard methodology is not being used for risk assessment, organizations should benchmark against them in order to get baseline results for the maturing homegrown framework. Risk assessment exercises should be comparable, so that subsequent risk assessments give a clear indication of whether risk mitigation has increased or decreased.
5) Enlist the experts: Getting subject-matter experts to conduct the risk assessment exercise is important in order to get the most out of your IT risk assessment exercise. Conceptual knowledge may not be enough when facing real-world practical problems during risk assessment. Adopting a collaborative approach between external and internal expertise helps in leveraging the strengths of both. Unfortunately, many organizations merely pay a consultant to come in and perform the risk assessment, while providing no inputs from the asset owners.
6) Be brisk about it: Risk assessment should be completed quickly, lest it be rendered meaningless. For instance, if an MNC with 125 offices globally decides to conduct risk assessment, unless there is facilitated enterprise-wide push, the exercise is sure to languish at the proverbial snail’s pace, delivering no value whatsoever.
Risk assessments cannot be equated with an audit, and for even the largest entity, IT risk assessments should not last longer than six months. Automation should be leveraged for mundane tasks like reporting, for efficient risk assessment.
About the author: Dharshan Shanthamurthy is a director at SISA Information Security and a risk assessment evangelist at SMART-RA.COM. Trained at Software Engineering Institute - Carnegie Mellon University, Dharshan carries a host of security certifications. He has presented at over 122 workshops/conferences in over 19 countries.He can be reached at firstname.lastname@example.org.
(As told to Varun Haran)
Please send your feedback and/or comments to vharan at techtarget dot com. You can also subscribe to our twitter feed at @SearchSecIN