The IREC research team is in the middle of an effort to understand our members’ risk assessment processes and identify information and practices that will be helpful in improving those processes. Thanks to all the members who have participated thus far. Here is an update on the research, with some early suggestions on where Security organizations might find some room for improvement.
- Harder Than it Looks. Risk assessment would seem like a basic element of running the Security function. However, few members are satisfied with their processes. Indeed, from our perspective in talking to members, there is a wide gap-not just incremental improvement-between standard practice and that of the most progressive members.
- Disparate Practices. As with so much in security, there is no such thing as a common approach to risk assessments across the organizations we have spoken with. For some security activities this makes sense, as you must tailor your approach to the detailed realities of your organization. So far we have not found much of a reason why this should be the case for risk assessments: most Security organizations are trying to accomplish pretty much the same things with their risk assessments. Instead this seems to be an area ripe for “best practice” maturity improvements.
- Two Broad Categories of Activity. While most security organizations have several different activities they refer to as “risk assessments”, these seem to fall into two broad categories: 1) Specific, targeted assessments (e.g. assessing the risk of a specific application or a new business project), and 2) High-level reviews of the top risks facing the organization. In principle, it might seem to make sense to determine your high-level view of risk by aggregating the targeted assessments. In practice very few members do this, and from what we can tell this is probably appropriate due to the many well known challenges of risk quantification.
Most Security effort on “risk assessment” is devoted to the targeted assessments described above. The reality of these assessments is that they rarely assess risk, but rather are a look at vulnerabilities and the controls that should be present to address those vulnerabilities. Clearly it is not practical to perform a full threat model and impact analysis for every individual risk assessment, but there are several steps that members can take to better leverage these efforts:
- Standardizing the assessment processes and using standard risk and control taxonomies reduces effort and reduces the chances of missing basic controls.
- Leverage standardization-not in an attempt to create an all-inclusive view of your risks-but to monitor for trends such as commonly unaddressed vulnerabilities or frequently broken controls that can be a sign that new or redesigned controls are needed.
- Make sure you have a lightweight assessment of criticality, sensitivity, and/or business impact that project and asset owners can use to make a quick High/Medium/Low categorization. Such a categorization can be used both to prioritize control/vulnerability reviews, and as an input to those reviews to ensure that control recommendations are appropriate and not overly burdensome.
Fewer resources are spent on assessing high-level risk areas. Members interested in this should look into our Controls Maturity Benchmarking Service. Two quick looks at what IREC members view as the top information risk areas for 2010 and 2011 are here and here. We also profiled several alternative approaches to identifying high-level and new risks a couple of years ago.
Let us know what you would like to know about risk assessment.