BradEgeland.com #PMP #PPM #project #Agile #cybersecurity #planning #ai #SAFe #coronavirus #virtual #mindmap #remote #COVID19 #scaledagile #fintech #webdesign
  • Welcome
  • Contact
  • Mentoring Contact Form
  • Expertise
  • Blog
  • Find Local PM Jobs
  • Books / White Papers
  • Software / Service Reviews
  • This Week in PM
  • PM Video Series
  • Awards/Recognition
  • Templates & Downloads
  • Clients
  • Professional Services
  • Past Survey Results

Risk Assessment for Information Security

4/18/2019

0 Comments

 
Picture
Because data security has become a top concern for most businesses, the primary debate is now focused on which techniques are best for achieving your ultimate goal. Risk assessment methods and programs should be key components of your security plan, as they guide your team in establishing a strong framework for compliance. In addition, effective risk assessment methods allow your business to be better prepared for emergent risks and changes to compliance regulations.

To help your security team get a better handle of current and future risks, this piece will explain specific terminology that forms a concrete basis for compliance risk assessment.

Risk Assessment Technique Terminology

The first set of terms that your information security team should be aware of is terms related to specific techniques. This is essentially the “what” of the process, and it includes ISO requirements, qualitative risk, and quantitative risk analysis methods.

1. ISO 27005
ISO 27005 is a framework that guides businesses towards effective risk management. Rather than laying out a step-by-step methodology, it provides information about what your risk assessment should ultimately include. ISO 27005 is useful for your security team to review as it outlines a thorough assessment of all compliance and operational risks.

2. Quantitative Risk Analysis
Quantitative risk analysis involves the assignment of a numerical value to certain types of risk. This is in an effort to quantify the risk and any possible effects it may have on your business. To assign a numerical value, the formula used is “Risk = Probability x Loss”. The probability of a risk is determined from historical data- derived from relevant business documentation. You can only accurately quantify a risk if you have enough data to determine probability. But if your records are insufficient, you may not have an accurate quantitative risk value.

3. Qualitative Risk Analysis
Even if it’s devoid of numerical values, qualitative risk analysis provides a subjective, yet reliable way of defining risk. Qualitative risk is typically defined using adjectives that enable various stakeholders to have a deeper understanding of the business.

In fact, having a clearly understood terminology that can be shared across departments provides a reliable path for risk management. Why? Because all stakeholders will be able to understand what the risk is- along with possible consequences. In this way, a strong foundation can be established for integrating compliance. This uniform risk definition also makes decision making much easier.

Risk Assessment Methodology Terminology

In addition to technique-related terms, your security team may also benefit from a more method-based approach. This approach includes the “Hows” of the process, and it provides guidance related to how you can build a strong compliance risk assessment.

1. OCTAVE Allegro
OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation are typically used to review current information systems. This method follows a qualitative approach and is done in small groups.

OCTAVE Allegro is useful because it uses numerical values without interrupting your daily operations. The OCTAVE Allegro framework is split into 4 main phases:
  1. Measuring risk in accordance with your organization’s mission and overall objectives. It also takes into account your important success factors.
  2. Determining all critical assets, developing a profile for each asset, and assessing the security and boundary requirements relevant to each asset identified.
  3. Identification of threats relevant to each information asset- while considering its specific containers.
  4. Identification of all risks to information assets- followed by a concrete risk mitigation approach.

2. Microsoft Security Assessment
For IT professionals using Microsoft-based products, the Microsoft Security Assessment tool can be of value. It is essentially a toolkit that outlines various solutions to specific scenarios. These solutions are also sometimes automated to meet various needs that your organization may have (in terms of security compliance). Solution accelerators help with communications, collaboration, and infrastructure management.

3. NIST SP 800-30
The NIST (National Institute of Standards and Technology) SP 800-30 is a 56-page document that outlines specific approaches to risk assessment. It includes a combination of both risk mitigation and evaluation processes broken into 9 distinct steps.
  1. Characterization of systems
  2. Identifying threats
  3. Identifying vulnerabilities to those threats
  4. Control analysis
  5. Determining your likelihood of threat exposure
  6. Assessing the impact of various threats
  7. Determination of risks
  8. Recommendation of various controls
  9. Documentation of results

The NIST SP 800-30 is more than just an outline for risk assessment. It is also a guidance resource that can help you find information about documenting various requirements. Simply put, it’s both a risk assessment and guidance documentation tool.

4. Information Risk Assessment Methodology 2
If you’re looking for risk assessment models that have been broken down into individual steps, the Information Risk Assessment Methodology 2 (IRAM 2) is your best solution. IRAM 2 breaks down risk assessment models into 6 tenets that are simple, yet effective.​

How do they work? They focus on your most significant risk factors by taking into account both internal and external vulnerabilities. In addition, IRAM2 considers the effects of various risk factors on external stakeholders.

Author Bio
​

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity's success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author:

    Picture

    Brad Egeland


    Named the "#1 Provider of Project Management Content in the World," Brad Egeland has over 25 years of professional IT experience as a developer, manager, project manager, consultant and author.  He has written more than 7,000 expert online articles, eBooks, white papers and video articles for clients worldwide.  If you want Brad to write for your site, contact him. Want your content on this blog and promoted? Contact him. Looking for advice/menoring? Contact him.

    RSS Feed

    Picture
    Picture
    Picture
    Picture

    Archives

    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    November 2016
    October 2016
    September 2016
    August 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    August 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    September 2012
    August 2012
    July 2012
    June 2012
    May 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011
    October 2011
    September 2011
    August 2011
    July 2011
    June 2011
    May 2011
    March 2011
    January 2011
    December 2010
    November 2010
    October 2010
    September 2010
    August 2010
    June 2010
    May 2010
    April 2010
    March 2010
    November 2009

    RSS Feed

Powered by Create your own unique website with customizable templates.