Risk management is something every person and every business does every day. Most risk management is informal, and often attributed to “common sense”, but when it comes to your business, a formal Information Security Risk Management program is necessary, especially when one considers the cyber security threats that exist today.
There are fundamentally three things you can do with any risk;
- Mitigate: Take actions necessary to eliminate the risk or prevent its potential for occurrence. This is generally the best option, but not always practical, which is why it is not always the chosen path. Spending $100 to eliminate a risk that could cost you $1 in losses is not good math. But a single $100 investment that could save you from thousands of $1 losses makes much more sense! But how would you know if you do not evaluate the factors?
- Accept: An evaluation of the potential loss along with the probability of the threat occurring may lead you to determine that a particular risk is acceptable.
- Transfer: Purchasing insurance is a classic method of transferring risk. In business, there are other methods such as engaging a managed IT services provider to run your IT department. They then own the responsibility to apply security patches to servers and mitigate risks from known vulnerabilities, for example.
What is a Risk Management Program?
At the core, an Information Security Risk Management Program is a process for performing risk analysis of information resources that store, process or transmit an organization’s data. The goal of such a program is to ensure the organization is operating at an acceptable level of risk with regards to the confidentiality, integrity, and availability of its Information Resources and especially sensitive data such as Personally Identifiable Information (PII) and Protected Health Information (PHI), or any other information protected by federal, state or local laws and regulations, or industry standards such as HIPAA, HITECH, PCI-DSS.
Two key parts of a Risk Management program are often overlooked. When performing the initial risk analysis, first retain documentation on the evaluation and decision, and then second, perform periodic reviews. A risk that may be acceptable today may warrant mitigation at some point in the future, but if you never review the decision, you will miss this fact.
There are a number of frameworks and templates available that include specialized focus for different industry segments and regulatory concerns. For example, if you are handling credit card payments, you will need to consider PCI-DSS requirements while you evaluate your risk posture. While these frameworks may organize the topics differently, they will also provide more details on how to perform each step. However, at a fundamental level, Best Practices for performing Information Security Risk Management will include working through these steps;
- Identify Assets
- Value Assets
- Identify Threats
- Identify Vulnerabilities
- Identify Existing Controls
- Determine Likelihood of the Event Happening
- Determine Impact
- Determine Initial Risk Rating
- Determine the Risk Management Strategy
- Review Previous Risk Assessments Periodically
Regardless of the size of your business, you are exposed to risks on a daily basis. Information Security risks require an organized, systemic Risk Management approach to ensure you appropriately identify, quantify, and address threats to your IT infrastructure, and are appropriately safeguarding both your and your client’s data. If you are working with a Fully Managed Security Services Provider, they will have the skills and resources to guide you in developing your Risk Management program but you still have an active and key role in managing your risks.