Risk appraisal and acceptance process

Today I’ve been trying to participate in a meeting where everyone except me is sitting in a building in Orlando. Unfortunately, for various reasons I wasn’t able to travel over this week so it’s a case of straining to join in the discussion in the right place over the telephone and make the right contribution when I can’t see the body language of the people I’m talking to.

On the positive side it means I can relax and sip decent tea during proceedings instead of being sat in an air-conditioned tank with a flask of that dark tepid liquid the Americans call coffee.

The subject of risk acceptance was one of the items under discussion, in particular the authority to sign-off on product related risk. Here’s my view: it’s a business decision every time. The role of Information Security should be to advise and be able to provide consultation on risk and how much of it there is, but it’s the key business stakeholders who must make the decisions. They hold the budget, have intimate knowledge of their own strategy, and on how much risk they are prepared to accept. This is why it’s so essential that security practitioners are able to communicate with the right people outside of their own domain and be regarded within the organisation as experts who provide guidance rather than a block and hand-brake on important revenue generating project work.

However, there does need to be somebody at a senior enough level who can say “stop – enough’s enough” and ensure that a pragmatic and sensible approach is being taken by the business and that risks are not just being accepted when reasonable, cost effective mitigating controls can be implemented.

Here’s an example of what I mean. Let’s say we run through a risk assessment and identify that a particular security requirement has not been implemented as per policy. For arguements sake we’ll say that business unit policy requires URL blocking to be enforced for web sites deemed harmful or offensive but in this instance no such control has been implemented. So, let’s now complete a risk assessment identifying the scenarios associated with this particular deviation from policy (e.g. user visits site containing malware and infects his PC/network etc). Assuming we have desktop anti-malware controls in place we might assess the risk here of being low\medium (depending on the type of business, number of employees and so on). We document the scenario, and the resulting risks, then identify any mitigating controls (e.g. perhaps some limited blocking can be implemented at the firewall level, or maybe block access altogether). Armed with the right information, the business stakeholders can now make an informed decision.

That doesn’t mean they will make the right decision. And I do believe that InfoSec should also be able to argue strongly in favour of doing the right thing when the business wont. But here’s a tip – choose your battles carefully and don’t overstate minor risks. It also means that InfoSec should be familiar with the business strategy and the key business drivers so that guidance isn’t provided from an ivory tower.

Interesting related blog entry from Bruce Scheier here – Bruce is one of the foremost experts on risk and always makes for interesting reading.