Wednesday, August 12, 2009

Five Practical Tips for Performing Risk Assessments

I cam across CISOHandbook.com and found this site to be very informative and easy to read for Information Security Professionals. The following article stood out and I decided to share it on my blog.

Five Practical Tips for Performing Risk Assessments

by Mike Gentile, Ron Collette, and the CISOHandbook.com Team


Risk Assessments are one of the most powerful tools in the arsenal of the security professional. They provide tremendous value when performed correctly, but can have severely detrimental effects when they are not. This article will provide some quick and easy considerations for getting the most out of them within your environment.

1. Measure the Scope of the Risk Assessments That You are Currently Conducting

Most current security programs conduct some form of risk assessment on a regular basis. The issue arises when all risk assessments are treated as identical. For example, an enterprise-wide risk assessment that focuses solely on risks within applications is vastly different than a risk assessment that evaluates risks associated with the operating system on one server for an individual business unit. Though this may seem obvious, in our experience many people within security programs and especially people outside of them still view risk assessments as the same thing regardless of scope. This can lead to gaps between what is expected of the review (from a risk perspective) and what was actually reviewed. Additionally, this can often lead to difficulties with trending of risk over time, another important item we will talk more about in a minute.

2. Use Risk Assessments to Enable Business Decisions

We believe one of the strongest uses for risk assessments is to provide a business with the right type of information regarding security risks in order to enable informed business decision. This is the objective of a risk assessment. In your risk assessments, be sure to focus the message so that they can be consumed by those that do not understand the nuances of security. So in other words, put the reports from risk assessments in business speak, not security jargon.

3. Make a Conscious Decision Regarding the Risk Model Employed in the Assessment

This one becomes especially important if your organization relies upon vendors to perform the assessment. Vendors can be valuable in terms of providing the necessary skill-sets, but there are also some downsides. Vendors often bring proprietary risk evaluation techniques and unique nomenclature to their deliverables. The use of unique terms, language, or techniques can add confusion to the message delivery process, particularly those that are not security focused. A classic example in these situations is the frustration a vendor feels when the client fails to understand the message and value of their work. The other danger to using proprietary risk methodologies and nomenclature is that it commits the organization to its continued use in order to facilitate useful trending information.

4. Focus on the Trending Elements of the Risk Assessment

One of the most important elements of measuring risk is to demonstrate the changes within an organization over time. By the way, we did not make these rules, we bring this one up because we have never, and we mean never, met a Board of Directors or Management Team who have not wanted some type of trending after they review assessment data. It is just the way it is.

Even slight variances in the type of assessment or methodology employed can negatively influence the trending characteristics of the data. When an assessment does not have the capability for tending, it often leads others to question the credibility of the analysis. It can also put you in a bind if you get a request for trending, but can't deliver because of the data you collected or the type of assessment.

When designing an assessment, focus on meaningful forms of measurement that will enable future trending. This is usually best accomplished by taking the time to identify what you want to measure first, and then build an assessment to meet those needs. This should seem simple because it is. When you do not take the time up front, your end result can be much more painful.

5. Ensure the Goal Matches the Approach of the Assessment

Another easy one, but this piece of advice is often missed. Before performing any type of risk assessment, try to establish the primary goals and objectives for the assessment and the future use of the information. A useful technique to aid in this exercise is to identify what you believe the result of the assessment will be by your target audience before performing any work. We have witnessed many occasions where a security officer has gotten themselves into hot water by not considering the end result of their use of an assessment prior to its implementation. They begin by attempting to bring awareness to a security weakness in a particular area, only to find that not only did they get awareness to the issue, but also highly angered the decisions makers in that area through the negative publicity. In these situations, if they simply were more careful in how they approached the assessment, either in its design or approach, they could save themselves a lot of unnecessary trouble and make it easier to reach their true assessment goals. By the way, we are not saying that you should avoid the use of risk assessments, in fact quite the contrary. Just be sure to consider your goals for using one and whether the end result of the review will meet those objectives. In other words, think it through or it can be career limiting.


There is obviously a multitude of ways to approach a risk assessment, but hopefully this will provide you a couple of tips in aiding your efforts when conducting one for you organization.

No comments:

Post a Comment

Get Expert Advice!