Zen and the Art of Risk Assessment - Part One
posted by Brian Willis on August 22, 2007
This is the first in a series of blogs where I will share key learning’s from the School of Hard Knocks on performing formal risk assessments. Since I believe risk assessment methodologies are pretty much a ‘roll your own’ decision and there are tons of material out there to help you decide which would work for your particular enterprise, I would like to focus on a more process-oriented view. I have been involved in hundreds if not thousands of risk assessments in my security career. When done well, they are at best painful — when done wrong, you can feel like you are trapped in one of Dante’s concentric circles of Hell. No one thinks — “Hey, its a nice day ! Let’s do a risk assessment!” (If they do, run the other direction, quickly). With this said, formal risk assessments are a necessary evil and, when done correctly, are a valuable tool for the security team and stakeholders.
So,how does one perform a successful risk assessment? It is isn’t rocket science, but it does take paying attention to the basics. Let’s begin at the beginning - as with any successful process, it is important to lay a good foundation. First, identify what question you are trying to answer. This is often a non-trivial exercise but this core question is the keystone to a useful risk assessment. You will be surprised how often you may refer back to this question or problem statement throughout the risk assessment. Next, what is the scope of the risk assessment? Try to be as a precise as possible when establishing the boundaries of the risk assesment. Make sure you are not trying to ‘boil the ocean’ but make sure your scope is broad enough to answer the question created in the first step. Keep in mind, your risk assessment should be useful and meaningful. Finally, who should be involved in the risk assessment? It is important to ensure that you have the right subject matter experts so that the process can move quickly and the results have credibility. Also consider including key customer personnel as the risk assessment process can be an important tool in consensus building. In addition, be aware of the mix of personalities as team dynamics may be an issue if you anticipate a lot of discussion or contention. If these seem to be basic problem-solving or Project Management 101 items - they are! Unfortunately it seems that the “Basics” are the most often done poorly. But if you have executed on these items, you should have a scoped and bounded problem statement and the right team identified to tackle the heart of the risk assessment.These few simple foundational elements are crucial to success in the next stage — Performing the Formal Risk Assessment.
Comments (2)
tagged: information security, risk, risk assessment, security
Comments
Aug 31 | Jackee Ireland said:
Brian makes reading about security and risk management easy and understandable. Normally my eyes glaze over when the security guys start detailing out their deliverables. Brian keeps it real. Thanks Brian!
Aug 31 | Clint Laskowski said:
I look forward to the rest of your series, and getting the basics of project management right is always important, but I hope there is some depth to the risk analysis portion of the assessment (regardless if it is qualitative or quantitative). I am already suspicious when you suggest you’ve done hundreds (if not thousands) of risk assessments, unless these are the most simplistic high-level (read: worthless) risk assessments. An information security risk assessment, if done properly (if that’s even possible), takes some time.