Risk management involves the process of identifying, assessing, and responding to threats to an organization’s assets by the implementation of security controls that support early risk detection and resolution (Samimi, 2020). On the other hand, risk assessment involves identifying vulnerabilities within information systems that could be taken advantage of by cybercriminals to compromise information and information systems, analyze the impact of the risk to the business and classify the risk into high, medium or low categories while proposing mitigating controls (Bilal et al., 2020). Given that risk assessment is necessary to identify and highlight the risk impact to the business, it is therefore a critical step in risk management.
Purpose of Risk Assessment
The purpose of a risk assessment is to identify information assets that are vulnerable to some form of threat factor, determine the current security posture and identify gaps in the security of these assets and recommend mitigating factors. Performing a risk analysis helps in evaluating and classifying risk, while recommending risk treatment plans to management. Emerging threats have the characteristics of being new, critical, ongoing, and having widespread coverage within social media. Addressing emerging threats requires a detailed risk analysis, which involves identifying the attack vectors and classifying the risk. The risk classification will determine the likelihood of the threat exploiting vulnerabilities within the IT infrastructure and recommend controls to mitigate the risk. If the risk is high, the scope and potential impact to the business if this risk is realized should be analyzed, and incident response, business continuity, and disaster recovery teams put in high alert. Effective communication and reporting are critical in handling emerging threats as the decision to accept, mitigate or transfer risk lies with senior management.
Vulnerability Analysis and Risk Mitigation
Vulnerability analysis helps identify, evaluate, and categorize security weaknesses within the information technology infrastructures while proposing mitigating controls. Vulnerability analysis also classifies risk into high, medium, and low categories. These categories show the likelihood of a threat exploiting that vulnerability, thereby prioritizing the risk treatment process. There are several tools used for vulnerability analysis with the most popular one being Nexus vulnerability scanner.
Incorporating Risk Management into an Information Security Program (ISP)
An ISP evaluates most an organization’s most sensitive information to determine its most vulnerable areas and provide recommendations for strengthening security in those areas. The ISP is a set of rules and regulations for keeping sensitive data safe. The plan defines a strategic roadmap for security management practices and effectively analyzes the risks associated with security breaches, along with a detailed description on the response plan.
Incorporating risk management and risk assessment into an enterprise-wide information security program (ISP) requires using a risk management framework. A risk management framework provides a guide to identify the current security level, strengthen and standardize the risk management process used by organizations to secure information technology assets. The National Institute of Standards and Technology (NIST) developed the Cybersecurity Framework (CSF), which sets guidelines for addressing cybersecurity risks (Bakare, 2020). We also have the NIST SP 800-37 rev 2 that provide guidelines on security best practices in managing security and privacy risks to information systems. The private industry primarily uses the NIST CSF, while the United States government agencies use the RMF (NIST SP 800-37 rev 2) (Barrett et al., 2020). NIST CSF lays out five steps in protecting information technology; identity, protect, detect, respond, recover. On the other hand, the RMF has seven steps to protect information systems; prepare, categorize the systems, select controls, implement controls, assess the effectiveness of the controls, authorize the system (ATO), and continuous monitoring of the information system.
On the International scale, the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) published the ISO/IEC 27001, which serves as a guide to assessing and managing risk to information security management systems (ISMS). The ISO/IEC 27001 standard provides seven steps in performing risk assessments (define risk assessment mythology, compile a list of information assets, identify threats and vulnerabilities, evaluate risks, mitigate the risks, compile risk report, review monitor, and audit). ISO/IEC 27001 provides nine steps that incorporate people, processes, and technology concepts to enforce risk management by implementing controls. These steps include; assemble the implementation team, developing an implementation plan, initiating the ISMS, defining the ISMS scope, defining the security baseline, establishing risk management process, implementing a risk treatment plan, measuring, monitoring, reviewing, and certifying the ISMS (Achmadi et al., 2018) .
Achmadi, D., Suryanto, Y., & Ramli, K. (2018). On developing information security management system (isms) framework for iso 27001-based data center. 2018 International Workshop on Big Data and Information Security (IWBIS),
Bakare, A. A. (2020). A Methodology for Cyberthreat ranking: Incorporating the NIST Cybersecurity Framework into FAIR Model University of Cincinnati].
Barrett, M., Barrett, M., Marron, J., Pillitteri, V. Y., Boyens, J., Quinn, S., . . . Feldman, L. (2020). Approaches for Federal Agencies to Use the Cybersecurity Framework. US Department of Commerce, National Institute of Standards and Technology. https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=932918
Bilal, M., Gani, A., Liaqat, M., Bashir, N., & Malik, N. (2020). Risk assessment across life cycle phases for small and medium software projects. Journal of Engineering Science and Technology, 15(1), 572-588.
Samimi, A. (2020). Risk Management in Information Technology. Progress in Chemical and Biochemical Research, 3(2), 130-134. https://doi.org/10.33945/sami/pcbr.2020.2.6
Great information on Risk Assessment. Very helpful tips I got in building an SOP am currently working on.
Thank you Manda. We are glad our blog could be of help to you as you build your company’s SOP.