How do organizations approach risk assessments?
On a weekly basis, IANS conducts upwards of 25 Ask An Expert inquiries that focus on a number of topics, but a trend that’s emerging is that they are increasingly containing a common thread: understanding risk. Many organizations are seeking to take the first of many steps in this process by talking to IANS about conducting risk assessments. These inquiries range from, "How do I build a risk assessment program?” to “Did my risk assessment, now what?”. Since a majority of folks that we talk to are struggling to understand the steps in the process or even to take the first step, let’s dive into some good starting points for building a risk assessment program, and then look at what to do with your results.
Approaching Business Risk through Basic Methodologies
In creating a risk assessment program, organization should be looking to the basic methodologies found in NIST SP800-30, CERT OCTAVE, ISO/IEC 27001:2005 – ISMS, ISF (Information Security Forum) IRAM, and CoBiT. In general, these will not provide a full program for your organization, but they will provide a good baseline or jumping off point. Understanding how to implement these tools is a first step, the true strategic decisions come when the risk profile itself is managed and – where necessary – remediated.
There are four basic paths to take in terms of handling risk:
- Assume it: acknowledge the risk, understand the risk, and accept it
- Avoid it: eliminate the risk
- Limit it: reduce the risk through mitigating controls
- Transfer it: or at least try to through insurance or some other method, but this many not help with accountability.
The choice you make here will depend on your organization’s infrastructure and security maturity and the decision of how risk is managed is only as reliable as the programs and tools designed to assess it in the first place.
In an attempt to lay some groundwork for the many companies seeking IANS’ advice on the topic, we have produced a webinar around risk management approaches and best practices. You can view the webinar, “Value-Added Security, Approaching Business Risk” below.
We’re interested in knowing what your organization is doing to take on the specter of creating a comprehensive and defensible risk profile and, if you’re not, we’re here to help. Since every organization is different in terms of its risk elements and the standards to which it must uphold, IANS is working with many firms to tailor a program to individual organizations’ needs.
If you would like to learn more about how IANS can help get the process started for building, evaluating, or improving your risk assessment program, contact Mike Treacy, SVP of Consulting.
Archives
- March 2012 (2)
- February 2012 (2)
- January 2012 (3)
- December 2011 (5)
- October 2011 (1)
- September 2011 (1)
- August 2011 (4)
- July 2011 (4)
- June 2011 (5)
- May 2011 (7)
- April 2011 (4)
- March 2011 (4)
Next Event
Space is limited, reserve your spot today