Managing Information Risk: Why Do a Risk Assessment?

Understanding the risks to your information

The single fundamental requirement of Information Risk Management or compliance is that an organisation should be aware of the risks it faces when managing its information. This does not presume that all information assets are valuable and require protection, only that the organisation is aware of the value and the attendant risks. Once the business is aware of the risks it faces, it can manage them in the most convenient and cost effective manner.

First, identify the risks

The difficult part is to identify the risks the business faces in the first place. This is not a simple matter for the average manager as there are a large number of factors to take into consideration. This is where a formal Risk Assessment is important as it weighs up all of the factors affecting information risks and enables a clear definition of the most important or pressing.

Risk Assessment is not only an information security tool; it is often used in other situations such as insurance underwriting and project management. In fact Risk Assessment, in a much less formal sense, is second nature to all of us when crossing the road and governs much of human nature.

Having identified what the risks are to their information, businesses can then manage those risks in the manner that is most appropriate (to them). This could mean that no additional protection measures are taken, but if the risks are ignored then this is done in the knowledge of the consequences, not in ignorance of them.

What does a Risk Assessment involve?

The popular concept of risk assessment is in effect two distinct processes:

  1. The identification and assessment of the risks ( risk assessment ).
  2. The selection and justification of countermeasures to manage those risks ( risk management ).

It is rare for the two aspects to be separated in normal practice, but they do require the application of quite different skills.

A reasonably accurate description of the two risk assessment and management components, as applied to information risks is that it is a process for:

  • Identifying and evaluating the information security risks associated with a computer system or telecommunications network;
  • Nominating and justifying security countermeasures which are commensurate with the identified risks.

Information Risk Management in a network or system is dependent on a large number of factors working together effectively. For example, if an attacker wanted to infiltrate a network, there are numerous ways in which he may approach the problem. These include packet interception, eavesdropping, hacking, insertion of malware, compromising authorised users, theft of documentation, etc. Securing a system against these threats requires a range of security, communications, physical, personnel, document and procedural security.

The benefits of Risk Assessment and Information Risk Management

Formal Risk Assessment and Information Risk Management techniques will assist an business to identify and evaluate all risks facing a system and to identify and justify a comprehensive range of complimentary security measures to meet those risks.

Article by Colin Dixon, Principal Consultant at Ascentor and leading authority on Corporate Governance and PCI DSS.

Other articles you might like:


You may also be interested in:

Work from home cyber security myths

Cyber security myths home workers fall for

Home workers are a growing gateway to your data and systems. If they believe any of these popular cyber security myths, your security is at serious risk.

Cyber security working from home

Managing good cyber security when working from home - what employers need to know

Home working carries increased security risks, but it doesn’t have to be open season for cyber criminals. These tips will help you put together a robust level of cyber security for your home based employees.

Cyber Essentials is changing - our overview

As the IASME Consortium takes over the management of the certification of Cyber Essentials (CE) Scheme, we look at what the changes will involve and why the scheme is still very much needed.