Wednesday, September 4, 2013

Risky business

Risk management is essential for every business. It's also a process that many companies struggle with. A misunderstanding of what risk management is, valuation errors, and poor implementation of risk management strategies plague many businesses today. In this post I'm going to explore the steps involved in creating a risk management program.


The Team

I won't go into much detail here, but first a risk management team must be assembled. The team should be comprised of persons from all departments with strong domain knowledge. The reasoning for this is a person cannot accurately value an asset or risk that they are not strongly familiar with. The overall goal of the team is to cost-effectively protect the business from risk.
The team will oversee the initial risk assessment, the risk analysis, and help create and maintain the policies and guidelines that will make up the risk management program.

The Assessment

There are two major goals of the risk assessment. First, the company has to decide how much their assets are worth. Assets in this case not only includes tangibles such as buildings and computer hardware, but also intangibles such as information and reputation. Knowing the value of these things will help the company later determine how much should be spent to protect them. Things to consider when valuing assets include:
  • Price to purchase, repair, and maintain
  • Loss of revenue if a system goes down
  • Value of asset to adversaries
  • Liability issues if a system is compromised
Second, the assessment aims to compile a comprehensive list of risks associated with each asset that is within scope of the project. Various threats should be considered for each asset, and the possible impact if that threat were exploited should be recorded.

Risk Analysis

With the results of the assessment in hand, an analysis can now be completed to decide what level of security is appropriate for each asset. There are two major approaches for risk analysis, quantitative and qualitative. One is not necessarily better than the other, as each has it's time and place.

Quantitative

Quantitative analysis is number based. Quantitative is best applied for assets where a clear value can be assigned and there are measurable losses associated with it's risk. Two commonly used equations within this analysis are the single loss expectancy (SLE) and the annual loss expectancy (ALE).

These formulas can be a great indicator of what is appropriate for a company to spend on protecting an asset. For instance, if the annual loss expectancy for a server is $37,000, it does not make sense to spend $100,000 annually to protect it. One note of caution, however. These formulas on based on predictions on how often damages will occur or how widespread they will be. While these estimates are usually based on historical data, they cannot predict the future.

Qualitative

Qualitative analysis is much more subjective. This analysis technique is best applied when hard and fast numbers are not associated with an asset. One common technique for performing qualitative analysis is to use a risk matrix. In the example below you can see that the threat is listed on the left, with it's likelihood of occurrence and impact listed to the right. This example also lists a countermeasure. These matrices may also be distributed among a group of professionals from various departments and then averaged.


Once all analysis has been completed, the company can then move on to selecting what controls it would like to implement. The major consideration here is balancing cost against benefit. This can be simple with quantitative data, as there is already a dollar amount associated. Qualitative data can be very difficult to manage however, and it will be up to the team to decide what is appropriate and justified.

Implementation

The final step is implementing the controls and creating policies, standards, guidelines, and procedures for the controls. The graphic below summarizes the relationship between policies, standards, guidelines, and procedures.

As you move down the chart, the statements and language become more specific. So while a policy may state that company computers are for employee use only, the associated standard may state that a user ID and password are required, and the procedure may detail that a password must consist of at least 8 characters and include one upper case letter.

These policies, standards, guidelines, and procedures are designed to support the controls that have been chosen for securing the assets. Without these, there is no way to ensure that the controls will be properly implemented throughout the organization.

3 comments:

  1. Good content. But posts are a little long. Better if you break these up into multiple posts. For example, each heading above can be a separate post.

    ReplyDelete
  2. I’m planning to start my blog soon, but I’m a little lost on everything. Would you suggest starting with a free platform like Word Press or go for a paid option? There are so many choices out there that I’m completely confused. Any suggestions? Thanks for your support!!!

    Android Training in Chennai

    Android Online Training in Chennai

    Android Training in Bangalore

    Android Training in Hyderabad

    Android Training in Coimbatore

    Android Training

    Android Online Training

    ReplyDelete