HMG IA Standard Numbers 1 and 2 – Information Risk Management is no longer supported by CESG. The standard will still be available to those government organisations that are contractually obliged to follow it but where does that leave those looking for a best-practice risk assessment methodology to follow?
This blog explores some of the options and ponders whether a risk assessment is really needed.
What is the point of an information risk assessment?
Think of a risk assessment like just another business case; its purpose is simply to justify a business decision! A risk assessment will:
- Identify the business information assets that need protection;
- Identify those that may want access to that information – for whatever reason;
- Identify potential vulnerabilities that may leave the information exposed; and,
- Provide an assessment of how likely it is that information will be exposed.
All with the aim of identifying efficient and cost-effective security measures to try and keep the information assets secure. So, doing a risk assessment is a good thing as it sets out a valid business argument for spending time, effort and resources on implementing security measures to protect valued business assets.
What if you already know what security measures are going to be implemented?
If your business has already made a decision to implement a security standard that details the security measures you need to follow, then why waste your time on a risk assessment? It will provide no added value and probably detract resources away from implementation.
If, for example, your business leaders have already stated that the organisation will comply with the Payment Card Industry – Data Security Standards (PCI-DSS) and has set aside a realistic budget, then a risk assessment may not be required. The controls identified in the appropriate Self-Assessment Questionnaire (SAQ) should, depending on implementation, be sufficient to provide the necessary level of security for that information asset i.e. electronic fund transfers.
Will any information security standard do?
That all depends on the information you are trying to protect. If the only information asset that is of value to you is customer credit card information then PCI DSS is probably the one for you. However, what about other information assets that you may have:
- Personal data compliance with Data Protection Act and Information Commissioner’s Office (ICO) requirements;
- Government data – compliance with Cyber Security Essentials;
Again, if the decision is to go ahead and implement these standards, then why spend more time and effort on producing a detailed risk assessment and risk treatment plan? Just get on and implement the appropriate standard. Job done – or is it?
When is enough, enough?
Controls identified in information security standards are there for a reason – to mitigate pre-determined risks. The fact that the risks are not made clear doesn’t really matter – or does it? Well, that depends on how well the controls need to be implemented. Consider the Cyber Security Essentials which details the “minimum” that should be done in a cyber-connected world. Implementing the basics for Malware Protection (Requirement 4) will provide:
- Up-to-date anti-virus software on any computer connected to the Internet;
- On-access scanning of files to detect malicious content;
- Daily scans of all files;
- Website blacklisting to prevent connections to malicious websites.
If that is implemented correctly, is there a residual risk that malicious content would still somehow get through? The answer is of course, that there is always residual risk.
Only “known” malicious content would be detected (obviously) and not all malicious websites can be blacklisted (it would take too long and they are always changing). What’s more, non-Internet connected computers may be at risk from malicious content passed via CD, USB stick or other type of digital connection.
The question is, whether the residual risks are acceptable or not. Without understanding the risks in the first place or being able to measure the effectiveness of security measures to mitigate them the question remains unresolved.
The demise of IS1 & 2 does not sound the death knell for risk assessments
There are occasions when a risk assessment is not necessary nor a useful business function, especially when complying with a specific information security standard such as Cyber Security Essentials. However, it should be recognised that following a standard does not provide any indication of the native or residual risks once security measures are being implemented.
Ascentor’s opinion is that the risk assessment and treatment principles outlined in IS1 & 2 remain valid. We agree that interpretation and implementation may have gone astray in some quarters but that is no reason to throw the baby out with the bath water.
Blindly implementing controls is just as bad, if not worse than blindly following a methodology! We hope the demise of IS1 & 2 does not create a policy vacuum filled by ignorance and blind acceptance of unknown residual risks.
Ascentor will continue to strive for business-focused risk assessments that provide real value to an organisation.
For further information:
If you have found this article of interest, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If you’d like to discuss how our consultants could advise on any aspect of cyber security, please contact Dave James at Ascentor.
