The concept of managing risk is not new; the informal assessment of risk is performed every day ­ from the mundane task of crossing the road, to what some might argue is much more precarious ­ – the job of buying a gift for your partner.

By managing the uncertainty, the risk management process tries to reduce possible hazards to an acceptable level. For example, the risk of being hit by a car while crossing the M25 is high so it is better to walk via a bridge. As for buying the gift, that is a more complex algorithm.

In the public and private sectors the same principle applies. There are threats, and we must ensure these are managed and adequately reduced, or we are likely to suffer the consequences.

Planning

Invariably one of the most onerous tasks in any risk management programme is to identify what your assets are, and who owns them.

The task of identifying assets must not only consider the information within an organisation, but also other facets which could be affected. After all, the loss of one set of assets ­ – for example, your building ­ – would most likely affect other assets such as information, or at least its availability.

Establishing the asset register comes in the first stage ­ – the planning phase as identified in the ISO 27001 standard ­ – see Certifying security, below. Also required is the identification of threats to the assets, the vulnerabilities that may be exploited by the threats, leading to identification of the effect of losses of confidentiality, integrity and availability.

This implies a risk assessment process; the methodology used must produce results that can be compared and reproduced.

The ISO standard defines numerous other requirements, all of which are critical to the management of risk. Obtaining senior management support, for example, which should be the very first step. But the task of identifying assets, threats, vulnerabilities and then estimating the levels of risk are at the heart of any risk management process.

The methodology used can be qualitative or quantitative where, for example, the perceived impact on an asset’s loss of confidentiality of critical information may have a financial impact.

This may not be possible all the time ­ – certain organisations may not be financially driven, or the measurement of a loss of an asset may simply not be possible to assess financially. In this instance, the information can be affected by laws and/or regulations which themselves can lead to a fine, bad publicity or a “holiday” at Her Majesty’s pleasure.

The planning phase will also analyse the potential risks, and estimate their levels. This provides the business with the opportunity to determine whether or not it has an appetite to accept the risk. If not, there are a number of options available:

• Apply controls to reduce/eliminate the risk.
• Simply accept the risks on the assumption that when balanced against the benefits of the risky behaviour, the benefit outweighs the consequence.
• Avoid the risk. If, for example, you are not happy to accept the risks of online banking and you cannot reduce them, then do not take part.
• Transfer the risk. This is where options such as insurance come into play.

Doing

This particular phase implements the controls that were identified in the earlier stage, and the measurement of the performance of such controls will also need to be defined. This is an important step which is often overlooked.

How do you measure and confirm the effectiveness of a financial and time-based commitment?

For example, a security awareness training programme is likely to increase the number of calls to a helpdesk; is that an acceptable measurement? What are the benefits of such increases in awareness? Do they outweigh the cost of the increase in calls?

Checking

The next stage is monitoring and review. This ensures the whole process is effective, and that the controls that were implemented remain effective using the measurements defined earlier.

This is important because the objective of the control is to either reduce the risk or to eliminate it completely. If it fails to do either, then it has not only been a waste of money, but also the risk still exists and the repercussions of the threat being realised can be significant.

The reviews should not focus solely on the controls, but the risk assessments should be regularly reviewed to maintain consistency and respond to potentially changing environments.

Acting

The final stage is to maintain and improve the entire process, so if there are any problems corrective action can be carried out.

This is an important stage as it ensures the risk management process will improve for all organisations, that lessons have been learned and that mistakes are not repeated.

Raj Samani is vice president of communications for the Information Systems Security Association UK. See www.issa-uk.org

Certifying security

ISO 27001 is the only auditable international standard which defines the requirements for an information security management system (ISMS).

The standard is designed to ensure the selection of adequate and proportionate security controls.

It also adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an ISMS.

Certifying against ISO 27001 can bring the following benefits:

• Demonstrates the independent assurance of your internal controls and meets corporate governance and business continuity requirements.
• Independently demonstrates that applicable laws and regulations are observed.
• Shows customers that security of their information is paramount.
• Independently verifies that organisational risks are properly identified, assessed and managed, while formalising information security processes, procedures and documentation.
• Proves senior management commitment to the security of information.
• The regular assessment process helps to continually monitor performance and improve.
  

For more information visit: www.bsi-global.com/en
Source: BSI