Understanding the risks to your information
The single fundamental requirement of Information Risk Management or compliance is that an organisation should be aware of the risks it faces when managing its information. This does not presume that all information assets are valuable and require protection, only that the organisation is aware of the value and the attendant risks. Once the business is aware of the risks it faces, it can manage them in the most convenient and cost effective manner.
First, identify the risks
The difficult part is to identify the risks the business faces in the first place. This is not a simple matter for the average manager as there are a large number of factors to take into consideration. This is where a formal Risk Assessment is important as it weighs up all of the factors affecting information risks and enables a clear definition of the most important or pressing.
Risk Assessment is not only an information security tool; it is often used in other situations such as insurance underwriting and project management. In fact Risk Assessment, in a much less formal sense, is second nature to all of us when crossing the road and governs much of human nature.
Having identified what the risks are to their information, businesses can then manage those risks in the manner that is most appropriate (to them). This could mean that no additional protection measures are taken, but if the risks are ignored then this is done in the knowledge of the consequences, not in ignorance of them.
What does a Risk Assessment involve?
The popular concept of risk assessment is in effect two distinct processes:
- The identification and assessment of the risks ( risk assessment ).
- The selection and justification of countermeasures to manage those risks ( risk management ).
It is rare for the two aspects to be separated in normal practice, but they do require the application of quite different skills.
A reasonably accurate description of the two risk assessment and management components, as applied to information risks is that it is a process for:
- Identifying and evaluating the information security risks associated with a computer system or telecommunications network;
- Nominating and justifying security countermeasures which are commensurate with the identified risks.
Information Risk Management in a network or system is dependent on a large number of factors working together effectively. For example, if an attacker wanted to infiltrate a network, there are numerous ways in which he may approach the problem. These include packet interception, eavesdropping, hacking, insertion of malware, compromising authorised users, theft of documentation, etc. Securing a system against these threats requires a range of security, communications, physical, personnel, document and procedural security.
The benefits of Risk Assessment and Information Risk Management
Formal Risk Assessment and Information Risk Management techniques will assist an business to identify and evaluate all risks facing a system and to identify and justify a comprehensive range of complimentary security measures to meet those risks.
Article by Colin Dixon, Principal Consultant at Ascentor and leading authority on Corporate Governance and PCI DSS.
Other articles you might like:
- Who is responsible for Information Risk Management?
- What information, where? The first step in Information Risk Management
- Protect your systems from cyber threat with 7 basic security controls