Risk management is a crucial part of your Security Management program. It is the process of identifying, assessing, and mitigating the unique data security and privacy risks your organization faces. You should start the risk-management process after you settle on the scope of your Security Management program. This way, you can accurately determine what company-specific risks you might encounter. Until you scope your program, you won’t really know what you need to worry about.
The general approach we suggest (modeled on NIST Special Publication 800-39, Managing Information Security Risk) has four parts:
The first step is to think about the context in which your organization operates. That sounds really meta (it is), but your team needs to know about its environment in order to be ready to identify and assess its risks down the road (more on that in step 2). What’s the context you should consider? You should be thinking about all of the internal and external variables that affect how your organization can operate. In general, you want to think about:
In short, in this initial step, you are “scoping” out the parameters of your risk program, and thinking about what structural factors might impact the specific risks you face and how your business can respond to them.
Once you pin down the variables that will shape the risks you face (and how you can respond to them), you will be in a position to come up with your organization’s strategy for how it will assess, respond to, and monitor its risks. Specifically, you will have a framework for making risk-based decisions, including which threats to include in your assessment, what your limitations are in responding to risk, and at what point is it okay to accept the remaining risk identified.
The next step is to assess your risk. This involves two parts: (i) identifying the specific threats you will analyze, and (ii) determining the amount of risk those threats pose to your organization.
Specifically, the first step is to create a “Risk Register” that defines all the threats your organization faces--that is, the events that can cause undesirable consequences to the systems and information you care about. For example, one threat that you likely face is that an employee is successfully phished, resulting in the loss of confidentiality of company data. In your Risk Register, you just list out threats you think you face--you don’t need to analyze them yet. Other examples may include:
Once you’ve added all your threats to your Risk Register, the second step is to analyze each threat and forecast the amount of harm each threat poses to your organization. There is no one right way to analyze your threats. Some organizations measure the risk posed by threats on a qualitative scale (e.g., very low, low, medium, high, very high) while others use quantitative models (e.g., the dollar-value impacts risks would have on your organization).
Whatever model you use (we recommend a quantitative approach), the process for evaluating each threat is usually the same: estimate the likelihood of the threat occurring; estimate the impact your organization will suffer if the threat occurs; and combine those estimates to get an overall risk score for each threat listed in your Risk Register. Because each threat now has a risk value, you are now able to order your threats by overall risk posed to your organization: risks with “very high” scores are more serious than those with “medium” scores; similarly, a risk with an expected loss of $20,000 is more serious than one with an expected loss of $4,000.
At this point it’s time to act. You now have a list of the threats you faced ordered by their estimated risk scores and you need to determine what you are going to do about them. Generally, this means deciding on one of the following specific courses of action for each risk:
For risks you are avoiding, mitigating, sharing, or transferring, you are, by definition, implementing a new or changed activity--policy, safeguard, process, etc. We recommend tracking these as new security projects, and making sure that each has a deadline, budget, and owner (someone responsible for implementing the project). We also recommend routinely checking the progress of each security project, described more fully in step 4 below.
Finally, you should implement processes to ensure that you are tracking your risk (including your risk responses) over time, and adjusting business operations accordingly. While there is an almost endless amount of work you can do to monitor your risk, implementing just three categories of monitoring activities will ensure that your organization’s overall risk improves over time.
By tracking these three things, you will be able to stay ahead of your fluctuating risk profile and to identify changes to it without much effort.
By following these four steps, you will be able to create a risk management program that is relevant to your organization and that gives you the tools necessary to improve the security and privacy of your data over time.
Feeling overwhelmed? Don’t worry. If you'd like to learn more about risk assessments, we wrote an entire guide on how to put Security Management into place at your company. Download it here or get in touch with us to learn more about how Aptible Comply and its compliance applications can help.