Risk Assessment: Benefits, Best Practices and Pitfalls

Advantages of security risk assessment we often overlook

While most organizations define the key objective of risk assessment as identification of main business risks, an important result of a competent assessment is to train employees, which occurs during the assessment process. Interviews with individual employees or working groups help experts better understand business processes in their units, as well as better understand processes taking place in the adjacent units. Employees efficiency increases along with the increasing knowledge among them.

Risk assessment also makes key employees think in terms of business risks, and not only at the level of their responsibility. If they learn how to properly understand information security risks, it will be adequately translated into all their business solutions, and, of course, it will be advantageous to the company.

Best practices for successful risk assessment

First of all, we should understand that risk assessments are not carried out siloed. It requires the involvement of different groups of experts from across the company to assure the accuracy of the information obtained. Assessment experts often make wrong conclusions due to the lack of communication with the actual asset owner or the person responsible for a specific area of business.


Using GRC solutions for Information Security

GRC is a relatively new and little known concept. So, what is it? Gartner gives the following definition: “GRC is neither a project nor a technology, but a corporate objective for improving governance through more-effective compliance and a better understanding of risk impact on business performance.” In other words, GRC can be expanded into three elements: governance of organization by senior management (Governance), information security risk assessment (Risk Management) and legislation compliance assessment (Compliance). The idea behind GRC is to manage all the three processes.

GRC concept allows information security professionals to speak the language of business, justifying investment in information security projects, using concepts of financial and reputational risks which are close and significant to the business.

It is worth noting that GRC is not a one-box solution, but a set of integrated modules or products plus a documentary database, which includes policies, procedures, regulations, and competent staff that will certainly be guided by this documentation in its work. Each implementation of GRC is inherently unique and should be maximally adjusted to the tasks, processes and technology of a particular business. Effectiveness of GRC system depends on this.

The advantage of GRC system implementation is that at any time it is possible to receive up to date information about the current state of IT infrastructure and on associated information security risks in relation to a specific business process, using the automatic integration of security controls of various types and vendors deployed in the company (security scanners, SIEM solutions, etc.).


12 tips for implementing GRC

Driven largely by compliance requirements for the Sarbanes-Oxley Act of 2002, many organizations are adopting a governance, risk and compliance (GRC) tools to help manage their activities in these three areas. GRC suites and toolsets automate the collection, correlation and reporting of information to offer a broader picture of how well the company is not only performing, but also how well it is complying with the law and managing risk.

We asked members of Wisegate, an invitation-only, business-social-networking group launched last year and comprised of CSOs and CISOs who want to privately share information with each other. Several of their veteran security-professional members offered the following tips for getting GRC right.

Dave Notch, CISO, Thomson Reuters

The big tip for me is don’t try to get it perfect, even though you may know what you want. Take an iterative approach. This lets you make progress and learn what yours and others’ requirements really are. Which leads me to my second point:

Expect to throw away some of your work. As you learn what the different audiences need, you will have to throw away some of your work. Don’t take it personally — this is just part of the learning process.


Practical Risk Management: Part 1 (Methodologies)

This article opens a series of publications on various aspects of information security management and risk assessment methods.

Before commencing a risk management process at organization, manager must decide the method on which the process will be based. That is why we decided to focus our first message on reviewing the existing procedures and information security risk assessment standards.

There are dozens of different kinds of techniques and approaches to information security risk assessment presented. However, some of them are already outdated and do not develop, while others are not translated into English from their original languages, which makes them difficult to study for a general audience. Here, we try to present only those techniques, which contain a detailed approach, which are widely known and continue to develop (or which are still relevant) being relatively easy to access. This article does not represent guidance documents of Russian regulators (FSTEC/FSB), since their applicability in the context of personal data legislation is questionable before the release of new documents in light of recent changes in the regulatory framework.

It should be noted that most of the existing regulatory and industry requirements (PCI DSS, STO BR, 152-FZ, 382-P, ISO 27001, etc.) do not specify a particular methodology for risk assessment, leaving the choice to organization experts.


Information Security Incident Management Standards and Guidance Documents

Currently, there is an increase in the number of information security incidents around the world, both leading to large financial losses and damaging the reputation of organizations.  The effective functioning of the information security management system and compliance with international information security standards will reduce the number of information security incidents and increase the level of organization security as a whole. The main guidance documents on incident management include:

ISO/IEC 27001:2005 Information security management system. Requirements. It is one of the fundamental standards in this field. It provides recommendations for the development, implementation, use and support of both information security management system as a whole, and approaches to the management of information security incidents.

ISO/IEC TR 18044:2004 Information security incident management. This document is intended for information security, information systems, services and networks unit managers and establishes recommendations for the management of information security incidents regarding the planning, use, and review process, as well as on this process improvement.

ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management. The standard covers the processes for managing information security events, incidents and vulnerabilities. It expands on the information security incident management section of ISO/IEC 27002.