This is in follow-up to my last post in which I discussed what constitutes an effective risk assessment framework to be considered for use. Just the other day, one of my colleagues at iViZ (Nibin Varghese), who is also doing some work on threat and risk modeling, came and asked that it would be good if I can point out as when an organization should carry out risk assessment. I feel this is absolutely critical and thanks Nibin for pointing this out. However prior to that I believe that some fundamental concepts should be cleared before moving ahead any further on risk assessment. The questions that I would try to clarify is based on my understanding on interactions with many infosec/non-infosec professionals as well as with people in the top management level having a partial or little knowledge on what actual "risk" is all about.
Is there a difference between risk analysis and risk assessment?
After years of fighting with this question,I realised YES there is a difference. Risk analysis is the first step in the development life cycle when management is required to make an informed business decision to move forward with a new project or capital investment. Risk assessment is the computation of risk. Risk is a threat that exploits some vulnerability that could cause harm to an asset. The risk algorithm computes the risk as a function of the assets, threats, and vulnerabilities. For example, one instance of a risk within a system can be represented by the formula (Asset * Threat * Vulnerability).
Why do risk management projects fail?
Most risk management projects fail because the internal experts and subject matter experts are not included in the process. No one knows your systems and applications or your business better than the people who develop and run them. Establishing a team of internal experts will ensure the risk management process has those individuals with in-depth knowledge of the true workings of the business processes as well as those who has a bend towards assessment and management frameworks. People who has no exposure to risk management framework and has never been trained on those can never make the initiative successful.
And finally, when should an organization do "risk assessment"?
Many of our organizations don't know what the threats and risks are to operate in the changing business environment. As such risk analysis should be conducted whenever money or resources are to be spent. (Remember: Risk analysis is the first step in the development life cycle to make an informed decision). Once the decision to proceed with a project is reached (risk analysis), then management must ensure that threats to the project are identified, that the threats are examined to determine the organization’s risk of the threat, and what controls or safeguards are available to lessen the risk level to an acceptable range. It is when "risk assessment" should be done. As risk management professionals, it is important to understand that there are no such items as “security requirements” or “audit requirements.” There are only business objectives or mission requirements. A proper risk management process will ensure that compensating controls are needed to ensure that the business or mission of the enterprise is met.
Posts
0 comments:
Post a Comment