To help your security team get a better handle of current and future risks, this piece will explain specific terminology that forms a concrete basis for compliance risk assessment.
Risk Assessment Technique Terminology
The first set of terms that your information security team should be aware of is terms related to specific techniques. This is essentially the “what” of the process, and it includes ISO requirements, qualitative risk, and quantitative risk analysis methods.
1. ISO 27005
ISO 27005 is a framework that guides businesses towards effective risk management. Rather than laying out a step-by-step methodology, it provides information about what your risk assessment should ultimately include. ISO 27005 is useful for your security team to review as it outlines a thorough assessment of all compliance and operational risks.
2. Quantitative Risk Analysis
Quantitative risk analysis involves the assignment of a numerical value to certain types of risk. This is in an effort to quantify the risk and any possible effects it may have on your business. To assign a numerical value, the formula used is “Risk = Probability x Loss”. The probability of a risk is determined from historical data- derived from relevant business documentation. You can only accurately quantify a risk if you have enough data to determine probability. But if your records are insufficient, you may not have an accurate quantitative risk value.
3. Qualitative Risk Analysis
Even if it’s devoid of numerical values, qualitative risk analysis provides a subjective, yet reliable way of defining risk. Qualitative risk is typically defined using adjectives that enable various stakeholders to have a deeper understanding of the business.
In fact, having a clearly understood terminology that can be shared across departments provides a reliable path for risk management. Why? Because all stakeholders will be able to understand what the risk is- along with possible consequences. In this way, a strong foundation can be established for integrating compliance. This uniform risk definition also makes decision making much easier.
Risk Assessment Methodology Terminology
In addition to technique-related terms, your security team may also benefit from a more method-based approach. This approach includes the “Hows” of the process, and it provides guidance related to how you can build a strong compliance risk assessment.
1. OCTAVE Allegro
OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation are typically used to review current information systems. This method follows a qualitative approach and is done in small groups.
OCTAVE Allegro is useful because it uses numerical values without interrupting your daily operations. The OCTAVE Allegro framework is split into 4 main phases:
- Measuring risk in accordance with your organization’s mission and overall objectives. It also takes into account your important success factors.
- Determining all critical assets, developing a profile for each asset, and assessing the security and boundary requirements relevant to each asset identified.
- Identification of threats relevant to each information asset- while considering its specific containers.
- Identification of all risks to information assets- followed by a concrete risk mitigation approach.
2. Microsoft Security Assessment
For IT professionals using Microsoft-based products, the Microsoft Security Assessment tool can be of value. It is essentially a toolkit that outlines various solutions to specific scenarios. These solutions are also sometimes automated to meet various needs that your organization may have (in terms of security compliance). Solution accelerators help with communications, collaboration, and infrastructure management.
3. NIST SP 800-30
The NIST (National Institute of Standards and Technology) SP 800-30 is a 56-page document that outlines specific approaches to risk assessment. It includes a combination of both risk mitigation and evaluation processes broken into 9 distinct steps.
- Characterization of systems
- Identifying threats
- Identifying vulnerabilities to those threats
- Control analysis
- Determining your likelihood of threat exposure
- Assessing the impact of various threats
- Determination of risks
- Recommendation of various controls
- Documentation of results
The NIST SP 800-30 is more than just an outline for risk assessment. It is also a guidance resource that can help you find information about documenting various requirements. Simply put, it’s both a risk assessment and guidance documentation tool.
4. Information Risk Assessment Methodology 2
If you’re looking for risk assessment models that have been broken down into individual steps, the Information Risk Assessment Methodology 2 (IRAM 2) is your best solution. IRAM 2 breaks down risk assessment models into 6 tenets that are simple, yet effective.
How do they work? They focus on your most significant risk factors by taking into account both internal and external vulnerabilities. In addition, IRAM2 considers the effects of various risk factors on external stakeholders.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity's success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.