Managing Information Risk: Why Do a Risk Assessment?

Understanding the risks to your information

The single fundamental requirement of Information Risk Management or compliance is that an organisation should be aware of the risks it faces when managing its information. This does not presume that all information assets are valuable and require protection, only that the organisation is aware of the value and the attendant risks. Once the business is aware of the risks it faces, it can manage them in the most convenient and cost effective manner.

First, identify the risks

The difficult part is to identify the risks the business faces in the first place. This is not a simple matter for the average manager as there are a large number of factors to take into consideration. This is where a formal Risk Assessment is important as it weighs up all of the factors affecting information risks and enables a clear definition of the most important or pressing.

Risk Assessment is not only an information security tool; it is often used in other situations such as insurance underwriting and project management. In fact Risk Assessment, in a much less formal sense, is second nature to all of us when crossing the road and governs much of human nature.

Having identified what the risks are to their information, businesses can then manage those risks in the manner that is most appropriate (to them). This could mean that no additional protection measures are taken, but if the risks are ignored then this is done in the knowledge of the consequences, not in ignorance of them.

What does a Risk Assessment involve?

The popular concept of risk assessment is in effect two distinct processes:

  1. The identification and assessment of the risks ( risk assessment ).
  2. The selection and justification of countermeasures to manage those risks ( risk management ).

It is rare for the two aspects to be separated in normal practice, but they do require the application of quite different skills.

A reasonably accurate description of the two risk assessment and management components, as applied to information risks is that it is a process for:

  • Identifying and evaluating the information security risks associated with a computer system or telecommunications network;
  • Nominating and justifying security countermeasures which are commensurate with the identified risks.

Information Risk Management in a network or system is dependent on a large number of factors working together effectively. For example, if an attacker wanted to infiltrate a network, there are numerous ways in which he may approach the problem. These include packet interception, eavesdropping, hacking, insertion of malware, compromising authorised users, theft of documentation, etc. Securing a system against these threats requires a range of security, communications, physical, personnel, document and procedural security.

The benefits of Risk Assessment and Information Risk Management

Formal Risk Assessment and Information Risk Management techniques will assist an business to identify and evaluate all risks facing a system and to identify and justify a comprehensive range of complimentary security measures to meet those risks.

Article by Colin Dixon, Principal Consultant at Ascentor and leading authority on Corporate Governance and PCI DSS.

Other articles you might like:


You may also be interested in:

Ascentor's cyber security review 2020

Ascentor’s cyber security review of 2020

It was the year a different kind of virus dominated. But that didn’t stop cyber criminals exploiting it. We look back at 2020.

Cyber security myths of SMEs

Cyber security myths putting SMEs at risk

SMEs have long been a favourite hunting ground for cyber criminals and, in the worst case scenario, may not survive. We look at some of the myths that put SMEs at risk of cyber crime.

Work from home cyber security myths

Cyber security myths home workers fall for

Home workers are a growing gateway to your data and systems. If they believe any of these popular cyber security myths, your security is at serious risk.