If your information security team wants a stronger grip on cybersecurity and compliance risk, performing an IT risk assessment is where you begin. This post explores the methodology one should use for that risk assessment, including the different approaches to building a strong information security risk management program.
First question: What’s the difference between risk assessment and risk analysis?
A risk assessment identifies and catalogs all the potential risks to your organization’s ability to do business. Risk analysis then examines each identified risk and assigns it a score using one of two scoring methodologies: quantitative or qualitative.
Let’s take a closer look at each of these methods, and at how risk managers use them to understand information risk and then develop strong compliance programs and internal controls.
Qualitative Risk Analysis
A qualitative risk analysis is a technique that evaluates the danger of a risk-based on its possible outcomes and consequences and categorizes the risks by whether they are source-based or effect-based.
A source-based risk is one that derives from an internal vulnerability within an organization’s infrastructure: flawed access controls or password restrictions left inactive, for example. Effect-based risks, in contrast, occur as a result of something being introduced to the organization that creates a vulnerability: say, a new privacy regulation.
Qualitative risk assessment is subjective and more experienced-based than quantitative risk analysis. Each risk might be ranked with adjectives such as “low,” “medium,” or “severe.”
Quantitative Risk Analysis
Quantitative risk analysis assigns each risk a numerical value using algorithms and actuarial information.
A quantitative approach helps risk managers to determine the level of risk via a risk assessment matrix on a scale from low to high risk. These risks might be ranked along the lines of “10 percent probability” or “85 percent likely,” for example.
Using the risk matrix, senior management can make informed decision making to create corresponding IT security controls.
IT Risk Assessment Tools
Both qualitative and quantitative analyses support the risk management process by expanding your understanding of your business’s risk profile from different perspectives.
Assessments like those described above help the security team to build a risk profile comparing an asset’s value against the potential losses a risk might bring about. That insight helps risk managers understand the mitigation steps that are worth taking, and which ones aren’t.
Now that you have a good understanding of the types of risk analysis, let’s move on to the tools that can help you perform a risk assessment.
ISO 27005 is a standard from the International Organization for Standardization that provides a framework for risk management, but not a specific approach. In other words, it outlines what the risk assessment needs to include, but provides no specific steps to take.
ISO 27005 provides guidelines for defining how risk management relates to your business. That, in turn, provides the basis for creating the actual criteria and deliverables for information security risk management. Criteria might include:
- Identifying the impact of specific risks;
- Estimating an acceptable level of risk; and
- Determining what the organization’s risk management objectives should be.
ISO 27005 isn’t an approach to determine risk tolerance per se; senior executives or the board of directors should do that. Rather, ISO 27005 is important for risk management because it outlines all areas and risks to be reviewed.
NIST SP 800-30 Rev. 1
The National Institute of Standards and Technology published NIST SP 800-30 Rev. 1, which defines nine steps in the risk assessment process and explores related subjects such as risk evaluation and mitigation. The nine steps are:
- System Characterization
- Threat Identification
- Vulnerability Identification
- Control Analysis
- Likelihood Determination
- Impact Analysis
- Risk Determination
- Control Recommendations
- Results Documentation
Unlike other risk assessment guidelines, NIST SP 800-30 lays out a risk management framework for carrying out the three parts of risk assessment: preparing for the assessment, conducting it, and maintaining the assessment after completion. NIST SP 800-30 also explores how other organizational risk management processes complement and inform each other.
Managing Risk Compliance
When it comes to IT risk assessment (and managing your cybersecurity compliance risk overall) you can’t leave anything to chance. Errors and omissions from manual processes and inexperienced hands can be costly and detrimental to your business reputation.
That’s why we recommend ZenGRC’s risk management and compliance software. ZenGRC’s user-friendly dashboards show you at a glance which risks need mitigating, track workflows, collect and store the documents you’ll need at audit time, and more.
Worry-free GRC is the way to be! Contact us now for your free consultation and demo of ZenGRC.