If an IT security practitioner tells you that there is “zero-risk” of something happening, you should run…FAST….He/She is doing you a disservice and by lulling you into a false sense of security. First, let’s start with what risk actually is.
Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence.
Assessing risk in an organization (also known as Information Risk Management) is very important. The first thing you need to do is identify and assess your risk exposure. Once you have done that, the goal is to mitigate each risk down to an acceptable level.
Your organization needs to be aware of the different types of risk and be able to address them accordingly:
- Physical Damage: Fire, water, vandalism, power loss and natural disaster
- Human Interaction: Accidental or intentional action or inaction that can disrupt productivity
- Equipment Malfunction: Failure of systems or peripheral devices
- Internal and External Attacks: Hacking, cracking, and attacking
- Misuse of Data: Sharing trade secrets, fraud, espionage, and theft
- Loss of Data: Intentional or unintentional loss of information through destructive means
- Application Error: Computational errors, input errors, and buffer overflows
Start with assembling a Risk Management Team. Depending on your size, security posture requirements and security budget, your team may consist of one individual. A bigger organization will have the resources to put together a larger group.
Regardless, the “team” needs to implement the following:
- Establish a risk acceptance level provided by senior management
- Document risk assessment policies and procedures
- Establish procedures for identifying and mitigating risks
- Establish appropriate resource and fund allocation from senior management
- Have contingency plans where assessments indicate they are necessary
- Map legal and regulatory compliance requirements to control implementation requirements
- Develop metrics and performance indicators so you can measure and manage different risks
- Ensure you have the ability to identify and assess new risks as the company and environment changes
- Integrate Risk Management Procedures and Change Control procedures to ensure that changes do not introduce new vulnerabilities