Formal Risk Assessment
Risk Assessment is a straightforward and simple concept. Unfortunately, not many organizations understand what it really is. What this leads to is botched up risk assessment exercises that serve no real purpose except, in some cases, meet the requirement of some compliance standards (eg, PCI DSS, ISO 27001) for formal risk analysis.
Risk Assessment – What it really is
A risk assessment is analogous in many ways to visiting a hospital for a general health checkup. A qualified doctor examines the patient for signs of ill health and accordingly does one of the following two things:
- Certifies the patient as medically fit with no health related problems
- Identifies and examines existing maladies and prescribes medication for their treatment
- Identifies conditions that will facilitate health issues in the future (e.g. Obesity), and advise the patient on proactive corrective action to improve his/her health.
A risk assessment works in much the same way. The objective is to analyze the current security posture of the environment, identify current problems, and things that can go wrong in the future. So far so good. However, organizations face a number of challenges in implementing a risk assessment, some of which are as follows:
Challenges in Risk Assessment
- The patient’s health condition is volatile. What was applicable yesterday might be irrelevant today. What this means is that the risk landscape is a dynamic entity that needs to be studied on an on-going basis for the purpose of identifying new and evolving risk scenarios.
- Don’t run before you can walk. A formal risk assessment will aim at prioritizing mitigation strategies. Risk items are scored, weighted and ranked accordingly to facilitate their management.
- Competence. Proper implementation of risk assessment means it needs to be carried out by a professional with the following skills:
- Knowledge on various risk assessment methodologies to select the best one for a given organization
- It goes without saying that knowledge on the domain – whether it is networking, IT systems, people or processes is mandatory for a good risk assessment.
However, finding your way through these challenges can be worth it, since risk assessments bring about many benefits for the organization:
Benefits of Risk Assessment:
- Know yourself: A clear picture of the organization’s security posture – you know what your biggest areas of weakness are and what are the most likely ways that would be exploited by a potential threat vector.
- Save: Risk assessments are a necessary investment. However, the savings it helps an organization reap more than make up for that investment. Essentially, risk assessment is the process of charting out a map before you take the journey through the jungle of fortifying your organization’s security. Imagine navigating a forest without a map and you will know what we mean.
How SISA can help:
- SISA has long been one of the pioneers in the security industry on effective formal risk assessments, both from a compliance perspective and from a security best practice. We know fromal risk assessment better than most others.
- SISA’s formal risk assessment services are directed towards an effective and comprehensive formal risk assessment, and focus on optimized selection of the correct and most relevant controls. Our risk management experts work with you to:-
- Understand your unique business conditions and requirements.
- Drive risk assessment and risk management from a security beyond compliance perspective.
- SISA’s Security Consultants have up to 15 years of experience in formal risk management and are some of the most sought after information security experts in the world. We have
- Subject matter experts on a host of formal risk assessment methodologies such as ISO 27005, OCTAVE, NIST SP 800-30 and compliance standards like ISO 27001, PCI DSS, GLBA, FISMA, etc.
- Invited speakers at national and international conferences.
- Process consultants for various industry verticals such as banking, insurance, manufacturing, retail, etc.