Why should the analysis of risk include consideration of potential impact

A risk assessment is a process to identify potential hazards and analyze what could happen if a hazard occurs. A business impact analysis (BIA) is the process for determining the potential impacts resulting from the interruption of time sensitive or critical business processes.

There are numerous hazards to consider. For each hazard there are many possible scenarios that could unfold depending on timing, magnitude and location of the hazard. Consider hurricanes:

A Hurricane forecast to make landfall near your business could change direction and go out to sea.

The storm could intensify into a major hurricane and make landfall.

There are many “assets” at risk from hazards. First and foremost, injuries to people should be the first consideration of the risk assessment. Hazard scenarios that could cause significant injuries should be highlighted to ensure that appropriate emergency plans are in place. Many other physical assets may be at risk. These include buildings, information technology, utility systems, machinery, raw materials and finished goods. The potential for environmental impact should also be considered. Consider the impact an incident could have on your relationships with customers, the surrounding community and other stakeholders. Consider situations that would cause customers to lose confidence in your organization and its products or services.

As you conduct the risk assessment, look for vulnerabilities—weaknesses—that would make an asset more susceptible to damage from a hazard. Vulnerabilities include deficiencies in building construction, process systems, security, protection systems and loss prevention programs. They contribute to the severity of damage when an incident occurs. For example, a building without a fire sprinkler system could burn to the ground while a building with a properly designed, installed and maintained fire sprinkler system would suffer limited fire damage.

The impacts from hazards can be reduced by investing in mitigation. If there is a potential for significant impacts, then creating a mitigation strategy should be a high priority.

In today’s information-dependent organisations, it is fundamental to assess and manage information related risks, as well as the underlying IT related risks. Information Risk Assessment and Risk Management is essential in ensuring that controls and expenditures are fully commensurate with the risks the organisation is exposed to.

• Deterrent controls: to reduce the likelihood of a deliberate attack
• Preventative controls: to mitigate vulnerabilities or to reduce the chances of an attack being successful
• Corrective controls: to lessen the effect or impact of an attack
• Detective controls: to discover attacks and trigger preventative or corrective controls

These elements can be illustrated by a simple relational model:

Benefits of a Risk Assessment Program

According to ISO27000, the benefits of a Risk Assessment/Analysis program include:

Cost Justification

Additional security almost always involves additional expense. As this does not directly generate income, it should always be justified in financial terms. The Risk Analysis process should directly and automatically generate such justification for security recommendations in business terms.

A Risk Analysis program should enhance the productivity of the security or audit team. By creating a review structure, formalising a review, pooling security knowledge in the system's "knowledge base" and utilising "self-analysis" features, much more productive use of time is possible. The ability to 'build-in' expertise should also alleviate the need for expensive external security consultants.

Breaking Barriers - Business Relationships

Security should be addressed by both business management and IT staff. Business management is responsible for decisions relating to the security risk/level that the enterprise is willing to accept at a given time (which involves consideration of potential business impact). IT management is responsible for decisions relating to specific controls and application.

Risk Analysis should not only direct appropriate information at each group but play a major and proactive role in enhancing the understanding of the needs and role of the other. It should bring the two groups closer together. Risk Analysis should relate security directly to business issues.

Self-Analysis

The Risk Assessment system should be simple enough to enable its use without necessitating particular security knowledge, or indeed, IT expertise. This approach enables security to be driven into more areas and to become more devolved. It enables security to become part of the enterprises culture, allowing business unit management to take more of the responsibility for ensuring an adequate and appropriate level of security.

Security Awareness

The widescale application of a risk assessment program, by actively involving a range of, and greater number of, staff, will place security on the agenda for discussion and increase security awareness within the enterprise.

Targeting Of Security

Security should be properly targeted, and directly related to potential impacts, threats, and existing vulnerabilities. Failure to achieve this could result in excessive or unnecessary expenditure. Risk Analysis promotes far better targeting and facilitates related decisions. This not only applies to which areas of a particular system resources should be directed to, but which business systems. Through the application of Risk Analysis across multiple business units, it is possible to quickly establish the areas of greatest risk to the enterprise as a whole.

'Baseline' Security and Policy

Many enterprises require adherence to certain 'baseline' standards. This could be for a variety of reasons, such as legislation (e.g.: Data Protection Act), enterprise policy, regulatory controls, etc. The Risk Analysis methodology should support such requirements and enable rapid identification of any failings.

Consistency

A major benefit of the application of Risk Analysis is that it brings a consistent and objective approach to all security reviews. This not only applies across different applications, but different types of business system. It should also embrace those systems not under the direct control of IT management: paper based systems, PC Systems, or systems utilising other office equipment.

Communication

By obtaining information from different parts of a business unit, a Risk Assessment aids communication and facilitates decision making.

There are also a number of other important, but less tangible, benefits to be accrued via the application of Risk Analysis.

Risk Assessment Software Packages

FORFIRM Risk assessment software packages are available and these tools provide an alternative to conducting the risk assessment process manually, in that they provide an automated means of executing portions of the risk assessment process. Some are designed to handle the analysis of large integrated information systems while others evaluate smaller, stand-alone systems.

While the use of automated tools may facilitate data collection and analysis, tools are neither necessary nor required to perform an effective risk assessment. Additionally, risk assessment tools rarely reduce the level of involvement of the client, and therefore, the decision to use such a tool is at the discretion of the engagement manager.

Methodology Overview and Objectives

FORFIRM Risk Assessment Methodology aims to facilitate and support any of the following:

• Stand-Alone Risk Assessment Projects
• Risk Assessment as part of an Enterprise Security Architecture System (ESAS) engagement
• Risk Assessment for regulation industry compliance/certification Projects

In order to complete a risk assessment, there must be some sort of classification scheme in place. This methodology will start off by presenting suggestions and guidelines on how to conduct an information classification exercise, and upon achieving the results of this exercise, execute a comprehensive risk assessment to cover all critical business information identified.

A Risk Assessment addresses external, internal, accidental and intentional threats to the organisation, the organisation’s level of vulnerability to these threats and ultimately determines the level of risk the organisation is exposed to.  In fact, these ideas of threat, vulnerability and risk are fundamental to any risk assessment exercise.  This document will serve to put these ideas into context, and provide the reader with a basic understanding of a Risk Assessment; covering major areas as presented within international risk management standards.

This practice aid will also provide a general guideline to executing a comprehensive Risk Assessment.

One other fundamental concept is Risk Management, which addresses ways to treat risk.  Security controls should be implemented in relation to the importance of the information.  Perhaps more importantly, information confidentiality, integrity, and availability can then be improved due to the enhanced controls.

Risk Assessment and FORFIRM Information Security Framework

Considering that “Risk Assessment” is an essential element within the FORFIRM Information Security Framework, the next section will provide an overview to where it fits from a high-level perspective and how it benefits the organisation’s security framework overall.

FORFIRM Information Security Framework is a comprehensive and proven model.  It defines the various interrelated aspects of information security that need to be examined and implemented to ensure an organisation is efficiently and effectively secured.  The Information Security Framework was developed to help demonstrate an organisation’s security challenges from a business perspective and to provide a structured approach to support enterprise security initiatives.

The Information Security Framework has many different building blocks that form a solid foundation and structure.  The result is a comprehensive, cohesive model for assessing information protection efforts that takes into consideration all of the aspects of an organisation – from business processes to technologies to end-user employees.

Elements and Components of the Information Security Framework

The Information Security Framework can be broken up in to four basic areas, each with unique elements.  These areas include:

The Four Pillars:

• Security Vision and Strategy
• Senior Management Commitment
• Training and Awareness Program
• Information Security Management Structure

The Decision Driver Elements:

• Technology Strategy and Usage
• Business Initiatives and Processes
• Risk Assessment

The Development Elements

• Policy and Standards
• Security Model
• Security Architecture and Technical Security Standards

The Implementation Elements

• Enforcement Processes
• Monitoring Processes
• Response & Recovery Processes

FORFIRM utilises the Information Security Framework to assess an organisation’s current information protection environment and recommend enhancements to an organisation’s security program.  The use of the Information Security Framework ensures comprehensive coverage of a security environment at an enterprise level view.  As illustrated in the framework, conducting a risk assessment is a key Decision Driver Element for information protection, and it must be considered when constructing a comprehensive enterprise-wide security program.

What considerations must you include in your risk analysis?

Why is it important to identify potential risks?

What is the potential impact of the risk?

What is the potential impact of conducting a risk assessment?