What Does a Risk Assessment Do For Your Organization?
The purpose of a risk assessment is two-fold: to identify the threats that an organization faces and to help determine how to best prioritize resources to address those threats and protects its assets.
When it comes to information assets, three things are critical:
• The confidentiality of the information
• The integrity of the information
• The availability of the information
Each organization has different levels of tolerance to disruption to each of the three elements. For example, military agencies generally prioritize confidentiality and integrity over availability; they would rather have information become unavailable than run the risk of compromising confidentiality or integrity. For a publicly traded corporation, integrity and availability of Form 10-K is more important than the confidentiality, as investments are made based in part on this document.
Performing a successful risk assessment means classifying and assigning value to information assets, and determining the likelihood that they will be impacted by a vulnerability. By classifying and putting a value on each information asset, the chief information officer (CIO) and chief information security officer (CISO) can demonstrate why the asset is critical to the business, and perhaps more importantly, in what way it is critical to the business. For some assets, uninterrupted availability is critical, while keeping them confidential is not required. Assigning and addressing risk depends on understanding the value of the asset and prioritizing confidentiality, integrity and availability.
Once data has been valued, classified and risk has been assigned, the organization can begin to manage the risk. This is not a one-time activity; rather, it should be a continuous process as risk (or business focus) may change on a daily basis. Good examples of this are ever-changing regulations, either from self-regulating organizations like PCI (payment card industry), or government regulation like HIPAA (Health Insurance Portability and Accountability Act).
What happens when your organization acquires or merges with an organization in a different political, economic or physical environment? If your organization has never had offices in Florida, it is not likely that you are prepared for hurricanes and tropical storms to the extent that is required there. Similarly, there may be requirements from state or local government that you will now have to meet.
There are four general ways to address risk associated with the business: eliminate, mitigate, transfer or accept the risk. Eliminating the risk could include destroying or selling the asset if it is cost prohibitive to protect properly. Mitigating risk involves applying compensating controls to address the risk; for example, applying IPS signatures to block exposure to a new vulnerability. Insurance policies, business continuity and disaster recovery planning are all ways of transferring risk. The last one, accepting the risk, is perhaps the most direct approach: the organization simply accepts the risk and does not attempt to address it.
As information professionals, it’s our job to know what “information” in our titles means to our organizations, regardless of whether we are the CIO, CISO, or the IT analyst. We need to know our role in protecting the information and what that information is worth to the business.