Author - Abhishek Kushwaha
In last few years the industry compliance and regulations have grown more stringent and have been streamlined or are in the process of being streamlined to meet the new technological advancements. Organizations, irrespective of in which sector, public or private, have come to rely heavily on Information Technology and Information Systems for their daily activities. A typical information System in an organization can range from simpler personnel system to complex industrial systems like SCADA. Based on this complexity, the risk associated with the particular system varies from low impact to high impact. Therefore, with the evolving technologies, the standards and regulations have to undergo iterations to remain relevant in the digital age.
One component that was already a part and is being continuously emphasized in increasing number of regulations, like PCI DSS, HIPAA, GLBA, FISMA, SOX, etc., is the Risk Assessment. In past few years hackers around the world have proved that the Information Systems are under serious and persistent threat, and organizations will have to take strict measures to ensure the safety of their Information Systems. With increasing penetration of ‘BYOD’ and oncoming of ‘Internet of Things’ the Risk associated with technology continues to increase. Therefore, it becomes the responsibility of leaders and managers at all levels to understand their current standing and exposure and manage information security risk.
The need for a Risk Assessment approach that is effective, efficient and robust is there but still ‘One Pack Fits All’ strategy cannot be applied to Risk Assessments due to the varying nature of Information Systems employed in the organizations. Despite many Risk Assessment Methodologies and frameworks available, organizations still face many challenges to conduct an effective Risk Assessment. On other note, these challenges pave the way for opportunities waiting to be explored and infuse improvements to the process. In the coming sections we will go through such challenges and opportunities presented in Risk Assessment.
- Vulnerability Assessment = Risk Assessment
- Risk Assessment = Audit
- Risk Assessment does not require any specific skill
- Risk Assessment is black or white.
- We already know the risk so why do risk assessment?
- Risk Assessment has no business value and is required only for compliance purposes just before the audit
Cost Reduction: Cost contributes to the major portion of the criteria employed for selection of the risk assessment methodologies. Organizations’ strict financial allocations may make it difficult to choose a superior methodology requiring more number of resources and time over a sub-par methodology. Also, since the activity is of cyclic nature (annually or semi-annually), cost considerations are all the more emphasized.
Non-Formal and Unstructured Approach: Most of the Organizations have no formal methodology and structured approach to identified associated Risk specific to the environment or to the technology, which can result into a Risk assessment which is not comprehensive enough to protect the asset.
Improving Risk Assessment and Modelling: Risk Assessment methodology needs to be tailored in a way applicable to the organization so that the activities can be carried out in a smooth fashion. However, this poses a challenge as the stages involved in Risk Assessment needs to be carefully modified for their feasibility and care has to be taken as to the final steps identified are the required steps and critical steps have not been missed out and steps have been ordered in correct sequence.
Data Management: The consistency and organization of data collected during an assessment affects the ability to interpret that data. Therefore, it is necessary to manage the volume and quality of the assessment data using tools and templates.
Developing Risk Metrics:Risk Metrics provide a way to calculate the risk from identified threats or vulnerabilities. It is of prime importance that a particular threat or vulnerability is prioritized based on its criticality. A threat or vulnerability, if wrongly prioritized, will result in either over controlling or under controlling. Over controlling will result in excess cost burden and under controlling will render the system more vulnerable to the threat.
Improving Reporting: The final report must convey the observations and the actions to be taken in a lucid manner. Lack of clarity frequently leads to failure to follow thorough the observations and the actions.
Complex: Few organizations follow complex and tedious methods for Risk Assessment that lead to delay in Risk Identification to point where it becomes obsolete and no longer required and fails to address the risk when it actually requires the same.
One time Activity: Organization may treat the Risk Assessment as one time activity or project which required for some compliance, where there is process of doing Risk Assessment for ongoing basis for addressing the dynamic Threat scenarios and Risk introduced by advancement is technology or change in processes.
Consistency in Approaches to Risk Assessment: Consistency must be maintained while conducting risk assessment, especially in cases where assessment spans different verticals. Any inconsistency will result difficulty in the interpretation of the data collected and consequently in the observations reported.
Collaboration on Key Risk Discussions: Different verticals need to come together to discuss on key decisions so that the activities involved in the Risk Management can proceed smoothly.
Reduce Instances of Negative Surprises: The Risk Assessment process needs to be mature enough to identify the risks beforehand so as to avoid any negative surprises to the extent possible. Predictive analysis must be utilized to highlight the risk as early as possible.
Integrated Responses to Multiple Risks: In cases of Risk Assessment spanning multiple verticals it is prudent to develop integrated responses to risks which require verticals to collaborate on the mitigation activities.
Achieve Security beyond Compliance: Risk Assessment can actually provide the gap bridging solution between compliance and security, there are number of examples where compliance was not good enough to protect the organizations from breach. Compliance standards provide the baseline controls while any additional and specific Risk need to be addressed through proper Risk Assessment.
Align Investment with Business Objective: Risk Assessment can help organizations to protect the assets which actually maters for business, Risk Assessment can give management a top view to take appropriate investment at appropriate time on priority based.
The recent situations demand identification of interdependencies and interconnections between risks observed. Action plan should be created keeping in mind such relationships with clearly defined responsibilities and timelines. An effective tracking mechanism must be developed to track and monitor the implementation. A successful implementation should reduce the risk exposure to the organization.
Author: Abhishek Kushwaha, CISA, Security+