At URM, we are big advocates of adopting a risk-based approach when looking at ways in which to improve information security.  The cornerstone of this is conducting a risk assessment.

There are many benefits attached to conducting risk assessments, most of which are focused around business efficiency, prioritising and targeting.  For example, the risk assessment process helps you to identify all of your important information assets and separate fact from fiction by just focussing on assets you actually have, as opposed to those you think you have.  Risk assessments also allow you to truly analyse the effectiveness of any existing controls you already have in place.  As well as determining whether any of your controls require improvement, you can also carry out a cost-benefit analysis on those controls.  For example, if the cost of managing and maintaining a control is greater than the anticipated cost of a breach against the respective asset (s) it is protecting, then there may be a case for considering alternatives, or simply removing the control all together.

Of course, one of the primary benefits of performing formal risk assessments is to highlight your risks and identify the most appropriate course of action in treating those risks.  Best practice suggests that there are four options available to you when it comes to treating risk.  The first is to simply accept the risk, as it may be within your risk appetite.  The second is to avoid the risk by removing the asset from use.  The third is to transfer the risk, which typically involves outsourcing to third parties such as managed service providers and insurance companies.

The fourth, and most commonly used option, is to modify or treat the risk by implementing controls to mitigate it.  Some of things you should consider when determining the most appropriate controls to implement include:

  • Ease of use of the control
  • The reliability of the control
  • The relative strength of different controls
  • The cost of implementing and maintaining the control
  • The types* of control and the functions that they perform.

We find that one thing which is often overlooked when it comes to selecting suitable controls is the possibility of introducing new risk.  As part of your deliberations over the suitability of controls on your shortlist, you should always ask the question “what could go wrong if I implement this control?”. For example, you may have identified a risk related to the confidentiality requirements of a certain information asset or asset type.  An obvious control to consider implementing to protect against confidentiality-related threats is encryption. But what happens if you lose the encryption key? This would leave you with an availability issue as you may not be able to access the information.  Naturally, there are controls that you can implement to address this new risk, such as key escrow.  However, unless you know that the new risk exists, you may not think to include it within the design of your solution.

*You can consider types of controls both from the perspective of detective/corrective/preventive and also in terms of technical/physical/procedural.