Creating a Risk Management Program from Scratch

Risk management is a crucial part of your Security Management program. It is the process of identifying, assessing, and mitigating the unique data security and privacy risks your organization faces. You should start the risk-management process after you settle on the scope of your Security Management program. This way, you can accurately determine what company-specific risks you might encounter. Until you scope your program, you won’t really know what you need to worry about.

The general approach we suggest (modeled on NIST Special Publication 800-39, Managing Information Security Risk) has four parts:

1. Frame your risks
2. Assess your risks
3. Respond to your risks
4. Monitor your risks

The Four-Step Approach to Risk Management

Step 1: Frame Your Risks

The first step is to think about the context in which your organization operates. That sounds really meta (it is), but your team needs to know about its environment in order to be ready to identify and assess its risks down the road (more on that in step 2). What’s the context you should consider? You should be thinking about all of the internal and external variables that affect how your organization can operate. In general, you want to think about:

• the size and structure of your organization
• its financial position and budget
• strategic partnerships
• business priorities
• the amount of risk you think you can handle
• the legal and regulatory environment in which you operate
• any other factor that might shape how your company works to achieve its goals -- both its general business aims and its data-security ones.

In short, in this initial step, you are “scoping” out the parameters of your risk program, and thinking about what structural factors might impact the specific risks you face and how your business can respond to them.

Once you pin down the variables that will shape the risks you face (and how you can respond to them), you will be in a position to come up with your organization’s strategy for how it will assess, respond to, and monitor its risks. Specifically, you will have a framework for making risk-based decisions, including which threats to include in your assessment, what your limitations are in responding to risk, and at what point is it okay to accept the remaining risk identified.

Step 2: Assess Your Risks

The next step is to assess your risk. This involves two parts: (i) identifying the specific threats you will analyze, and (ii) determining the amount of risk those threats pose to your organization.

Specifically, the first step is to create a “Risk Register” that defines all the threats your organization faces--that is, the events that can cause undesirable consequences to the systems and information you care about. For example, one threat that you likely face is that an employee is successfully phished, resulting in the loss of confidentiality of company data. In your Risk Register, you just list out threats you think you face--you don’t need to analyze them yet. Other examples may include:

• A vendor improperly discloses your PII, resulting in the loss of confidentiality of data.
• An employee installs malware on his or her computer, resulting in the loss of confidentiality of data.
• A malicious actor exploits a bug in your source code and takes down your web app, resulting in the loss of availability of data.

Once you’ve added all your threats to your Risk Register, the second step is to analyze each threat and forecast the amount of harm each threat poses to your organization. There is no one right way to analyze your threats. Some organizations measure the risk posed by threats on a qualitative scale (e.g., very low, low, medium, high, very high) while others use quantitative models (e.g., the dollar-value impacts risks would have on your organization).

Whatever model you use (we recommend a quantitative approach), the process for evaluating each threat is usually the same: estimate the likelihood of the threat occurring; estimate the impact your organization will suffer if the threat occurs; and combine those estimates to get an overall risk score for each threat listed in your Risk Register. Because each threat now has a risk value, you are now able to order your threats by overall risk posed to your organization: risks with “very high” scores are more serious than those with “medium” scores; similarly, a risk with an expected loss of $20,000 is more serious than one with an expected loss of $4,000.

Step 3: Respond to Your Risks

At this point it’s time to act. You now have a list of the threats you faced ordered by their estimated risk scores and you need to determine what you are going to do about them. Generally, this means deciding on one of the following specific courses of action for each risk:

• Accept the risk by doing nothing, which is appropriate when the overall risk posed is within your risk tolerance.
• Avoid the risk by eliminating the process(es) that gives rise to the risk (for example, if you have a serious risk related to BYOD devices, you might prohibit employees from using their own devices for work.)
• Mitigate the risk by implementing new policies or safeguards to lower the likelihood or impact associated with a risk (for example, if an employee being phished is your most serious risk, consider requiring MFA for all work accounts or instituting phishing training for workforce members.)
• Share or Transfer the risk by shifting responsibility to another party (for example, if your most serious risk is due in part to the fact that you host your data on a server you control, consider shifting this responsibility to a vendor-hosting-provider).

For risks you are avoiding, mitigating, sharing, or transferring, you are, by definition, implementing a new or changed activity--policy, safeguard, process, etc. We recommend tracking these as new security projects, and making sure that each has a deadline, budget, and owner (someone responsible for implementing the project). We also recommend routinely checking the progress of each security project, described more fully in step 4 below.

Step 4: Monitor Your Risk

Finally, you should implement processes to ensure that you are tracking your risk (including your risk responses) over time, and adjusting business operations accordingly. While there is an almost endless amount of work you can do to monitor your risk, implementing just three categories of monitoring activities will ensure that your organization’s overall risk improves over time.

1. Monitor the implementation of your risk mitigations. First, you should make sure your risk-mitigation activities are being implemented as designed. For example, if one of your mitigation activities is to ensure everyone is using hardware keys for MFA, you should assign someone the responsibility of purchasing them, distributing them, and making sure they are in use for relevant systems. We recommend reviewing the progress of implementing your risk-mitigation activities at least monthly with your Security Team and the individuals responsible for implementing them.
2. Monitor the effectiveness of your risk mitigations. Second, you should determine whether your risk mitigations have the effect you expected. For example, if you implemented a training course to ensure that your employees are phished less often, you should perform a review to ensure that is the case; otherwise, you may need to come up with a better mitigation activity. We recommend reviewing the effectiveness of your risk mitigations at least annually.
3. Monitor changes to your organization and information systems. Third, make sure to monitor changes that will affect your risk profile. For example, if all your workforce members were based in the U.S. when you performed your risk assessment, but your organization starts hiring workers abroad, you should be aware of that organizational change as it will likely impact your next risk assessment. We recommend tracking these changes and conferring with your Management Team at least annually (and before your next risk assessment).

By tracking these three things, you will be able to stay ahead of your fluctuating risk profile and to identify changes to it without much effort.

Conclusion

By following these four steps, you will be able to create a risk management program that is relevant to your organization and that gives you the tools necessary to improve the security and privacy of your data over time.

Feeling overwhelmed? Don’t worry. If you'd like to learn more about risk assessments, we wrote an entire guide on how to put Security Management into place at your company. Download it here or get in touch with us to learn more about how Aptible Comply and its compliance applications can help.

‍