BreachExchange mailing list archives
7 Steps to Start Your Risk Assessment
From: Destry Winant <destry () riskbasedsecurity com>
Date: Mon, 29 Oct 2018 02:58:18 -0500
https://www.darkreading.com/network-and-perimeter-security/7-steps-to-start-your-risk-assessment/d/d-id/1332975 "Managing risk is one of the most, if not the most important, functions in an organization," says Tony Martin-Vegue, enterprise security management strategist for LendingClub, a peer-to-peer lending company based in San Francisco. "It's really important to have a structured, formalized process for measuring risk, managing risk, and the entire remediation process." If a formal process is the best way to assess and manage risk, then what sort of process should an organization use? "The most commonly used risk model is the mental model of the person waving their wet finger in the air," says Jack Jones, executive vice president of research and development at RiskLens and chairman of the FAIR Institute. "And mental models are notoriously flawed," he says. The reliance on flawed mental models is one of the many reasons Jones says that the IT industry is horrible at properly assessing risk. How does an organization go about finding a better model and using it to figure out what their risk is? There are a number of options, from NIST SP 800-30 to aspreadsheet-based model that can be found from a wide variety of sources with a quick Google search to FAIR — Factor Analysis of Information Risk. Large organizations will have teams dedicated to assessing and re-assessing risk on a regular basis. Small organizations may lack the team, but they will not lack the need to understand what risks IT faces and how those risks are reflected in the rest of the business units. "I don't feel any organization can even begin to think about what it wants to do from an information security perspective without making some proper attempt at being able to understand the risks that matter most to their organization," says Zulfikar Ramzan, CTO of RSA. "I don't want this to be confused with 'expensive' or 'complex' or, you know, beyond the scope of what I think even a small- to medium-sized organization can do," he explains. "What I really mean here is try to be a bit principled trying to look at it and get a more quantitative assessment." Getting started on this quantitative path can be confusing, so Dark Reading researched the major frameworks and spoke with Jones, Martin-Vegue, and Ramzan to get their ideas on best initial steps. We found seven steps that apply to a variety of frameworks — and that are applicable no matter where the process takes your organization. Start With a Common Language "I think [risk assessment] does start with at least beginning with a consistent definition of what risk means," says Ramzan. Agreeing on language is important because there are so many terms that will be used by everyone involved in the process and so many decisions that need to be made on the outcome of the process. Among the most important terms to be agreed on are assets, value, losses, threats, and measurements. And the reason that there should be formal, stated agreement on the language is that many of the terms have meanings that can vary from discipline to discipline, or even person to person based on their background and experience. Once there's agreement on the terms to be used and their meanings, it's time to start assigning values to those terms. Define Assets An asset is anything that brings potential value — or represents potential risk — to the organization. The critical point to be made in figuring out whether something is an asset, is that the value or risk doesn't have to be represented solely in dollar amounts. Assets can be materials and equipment, or they can be customer data, intellectual property, or the organization's reputation. While the categories into which assets can fit is large, it's important to know that, from a risk analysis perspective, not everything is an asset. Why would it matter if there are extra "assets" on the list? Jones describes a problem he frequently sees. "You have a severe signal-to-noise ratio problem," he says. "The risk registers are filled with things that are part of risk landscape but aren't themselves risks." Deciding whether something belongs on this list is going to depend on whether value and risk of loss can be defined — and those come next. Define Value In the FAIR model there are three kinds of value (and their mirror image, loss). The first of these is criticality — the impact the asset has on the organization's productivity. Is something a component in manufacturing? Is it part of the billing process? Is it key to selling the organization's products or services? If so, then its criticality value will be high. The next value is competitive advantage. Does the asset allow the organization to do something its competitors can't do, or do something in a way that's superior to the way the competition does it? Then it has value from a competitive advantage standpoint. The final value/risk is sensitivity, basically a measure of how much the asset's loss will cost the organization. The model breaks this value into four separate risks: - Embarrassment -– Would having this information become public show that the organization had engaged in unethical or unsavory activities? - Competitive advantage –- How significant an impact does this have on the overall competitive advantage of the organization? - Legal/regulatory -– Is this asset regulated by national or industry agencies? Would disclosure or loss of this asset prove a violation of regulations or law? - General -– And this is the catch-all for assets that don't neatly fit into one of the other categories, but are still important to the organization, and a risk if they're lost, exposed, or compromised. Define Losses Just as there are multiple ways of determining value, there are many ways of looking at the loss of an asset. The FAIR method describes six categories of loss in their model: - Productivity –- A loss doesn't have to bring the effective production of goods or services to a halt; all it has to do is reduce the effectiveness. If that happens, a loss has occurred. - Response -– Most organizations won't ignore a loss that occurs regarding one of their assets; they will respond. The cost of that response, whether large or small, is a loss that must be considered. - Replacement -– Speaking of responses, if an asset is lost or damaged it will be replaced. The cost of that replacement is a loss to the organization. - Fines and judgments -– If the loss exposes the organization to legal or regulatory action, the cost of responding in court and of any fines or judgments is part of the overall loss. - Competitive advantage -- When a loss alters the competitive landscape or forces the organization to miss sales opportunities because of the incident or response, then it's a loss to competitive advantage. - Reputation -– And if the incident makes potential customers, clients, or partners think less of the organization and its business suffers for that, then it's a material loss to reputation that must be taken into account. Define Threats Threats can come in many forms and guises, from outside the organization and inside, from malicious acts to accidents, and from human action to force majeure. Regardless of the threat's source, it will have an impact in one of five ways on an asset: - Access -– The threat can read or gain access to the data without proper authorization. - Deny access -– The threat agent can prevent legitimate users from accessing the asset. - Disclose -– The threat can let other people or organizations access the asset. - Misuse -– The threat can use the asset in ways that were never intended or authorized. - Modify -– The threat can change the asset, whether data or configuration. Define Measurements How will you define the impact of a loss? It's easy to say that dollars are all that matter, but individual stake-holders may define the impact differently. "If you think about the concept of a risk owner, that is somebody who owns the risk, somebody who essentially has their neck on the line," says Martin-Vegue. "If something goes south, this is the person that's accountable." Measurement is important because so many of the decisions to be made around risk assessment involve multiple business units and management teams. Martin-Vegue explains, "Let's say you can implement this new product that has a ton of vulnerabilities but it also gets me all of this new revenue - it increases my business. So what should I do?" he asks, continuing, "Should I put the new product in and take the risk with cyber vulnerabilities, or should I not put the product in and take the risk of not getting new customers? Martin-Vegue points out that these are the sorts of decisions that involve multiple stakeholders from multiple business units. Without common definitions of terms, threats, and measurements, making those decisions in a rational way is all but impossible. Define the Audience Why, precisely, is the organization going through the process of risk assessment? Knowing the reasons for the exercise, and therefore the audience for the final assessment, will help guide the language decisions in the report that results. "Risk assessments and risk management always always needs to support a management decision," says Martin-Vegue, adding, "Before you embark on any risk analysis you really need to ask yourself, 'what decisions am I supporting?'" In almost all organizations, those decisions will come down to answering questions about how to spend resources. "When you look at risk and it being multifaceted as it is, it's very easy to overspend in certain areas and underspend and others," says Ramzan. "We have to make sure we think about risk with a holistic and balanced view that enables us to spend money in the correct ways." Spending in correct ways is ultimately a decision for the executive committee, and a rigorous risk assessment leading to a report written in business language will support that decision. Jones says, "How I think about it is this: our problem space is complex and dynamic with a lot at stake, and we have limited resources. Every dollar that goes to us is a dollar that doesn't go to growing the business or other operation imperatives, so it's critically important that we prioritize." _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- 7 Steps to Start Your Risk Assessment Destry Winant (Oct 29)