The Next Generation of Assessing Information Risk

Digital information is the heart of today’s organisations. It’s growing exponentially, and its effective use and management is directly linked to the continued success of the modern enterprise. However, digital technologies and global interconnection have introduced a significant number of new risks and greatly amplified existing ones. There are now many significant, high-profile examples of information risks being realised, and their impacts continue to grow. Organisations simply must improve their management of information risk.

But doing so is a challenge. With the explosion of digital information, it’s not possible for organisations to protect all their information and associated systems to the same level. In addition, threats aren’t monolithic; they vary immensely in origin, intent, strength, and a multitude of other factors. While much has been written on this subject, there are few methodologies that provide an end-to-end approach to presenting a business-focused view of information risk.

That is, until now.

Information Risk Assessment Methodology

At the Information Security Forum, we recently introduced our Information Risk Assessment Methodology version 2 (IRAM2). IRAM2 has many similarities to other popular risk assessment methodologies. However, where many other methodologies end at risk evaluation, IRAM2 covers a broader scope of the overall risk management lifecycle by providing pragmatic guidance on risk treatment. The IRAM2 risk assessment methodology can help businesses of all sizes with each of its six phases detailing the steps and key activities required to achieve the phase objectives while also identifying the key information risk factors and outputs.

The six IRAM2 phases include:

Let’s take a quick look at each phase.

Scoping

Scoping helps the practitioner to develop a comprehensive understanding of the area to be assessed. This involves understanding the business and technology components that comprise an organisational area and how they interrelate, as well as any other influencing characteristics of the organisation.

The practitioner may find defining an effective scope for a risk assessment to be particularly challenging. This is typically due to the complexities in modern organisations which make it difficult to fully document or effectively map technology services to discrete business processes. While this difficulty can be mitigated by ensuring appropriate stakeholders are engaged, it is also recommended that you confine the scope to manageable areas for assessment. This may make it necessary to conduct multiple smaller assessments and then aggregate the results.

At the conclusion of the Scoping phase, you will have defined the scope of the environment being assessed, recorded the details and agreed it with key stakeholders.

Business Impact Assessment

Once an environmental profile has been completed and the scope of the assessment has been agreed, the next phase is to identify information assets in the environment and assess the business impact. The foundation for conducting a business impact assessment (BIA) in the context of information risk is the concept of information assets. IRAM2 provides guidance for identifying and assessing different business impact categories. Risk practitioners use this phase to determine the potential business impact should information assets or systems be compromised.

At the conclusion of the BIA phase, you will have gained a solid understanding of the information assets in the environment being assessed, and their business impact ratings. The practitioner will have documented and agreed the completed BIA with key stakeholders.

Threat Profiling

Once the BIA has been completed, the next phase of the assessment is to identify and prioritise the relevant threats to the environment being assessed, and to determine how they could manifest to cause harm to that environment. The first step in threat profiling involves determining which threats are relevant to the environment being assessed, thereby enabling the practitioner to populate a threat landscape.

Once the threat landscape for the environment being assessed has been populated and agreed, each threat it contains should be profiled. The goal of profiling the threats is to assess the relevant threat attributes for each threat, and then use the results to develop an understanding of two key risk factors:

• Likelihood of Initiation (LoI): the likelihood that a particular threat will initiate one or more threat events against the environment being assessed 
• Threat Strength (TS): how effectively a particular threat can initiate and/or execute threat events against the environment being assessed

At the conclusion of the Threat Profiling phase, you will have gained a solid understanding of the threats to the environment being assessed, their related threat events, and how they could affect the various information assets in the environment. The practitioner will have recorded and agreed with key stakeholders the prioritised threat landscape, in-scope threat events, and impacted information assets/components.

Vulnerability Assessment

IRAM2 provides guidance for performing an assessment of vulnerabilities that influence the likelihood of a threat event being successful. Risk practitioners use this phase to examine the key factor that affects vulnerability levels, the strength of controls (i.e. design and operational effectiveness).

At the conclusion of the Vulnerability Assessment phase, you will have gained a solid understanding of the degree to which the information assets within the environment being assessed are vulnerable to each in-scope threat event. The practitioner will have recorded and agreed the results of control assessment and related control strength ratings with key stakeholders.

Risk Evaluation

Once the Scoping, BIA, Threat Profiling and Vulnerability Assessment phases have been completed, the risk assessment can progress to the Risk Evaluation phase.

IRAM2 provides pragmatic guidance to help evaluate risks following the business impact assessment, threat profiling and vulnerability assessment stages. Risk practitioners use this phase to map the likelihood of successful threat events to the most appropriate business impact scenario and to link this into an organisation’s wider enterprise risk framework.

At the conclusion of the Risk Evaluation phase, you will have derived the residual risk rating for all risks in the environment being assessed, and agreed the prioritised residual risk profile.

Risk Treatment

After all risks have been evaluated and a residual risk rating has been determined for each risk, the next phase guides the practitioner through determining a risk treatment approach for each identified risk. Risk treatment typically involves one or more of four options, which are:

• Mitigate: Improving existing controls, or implementing new controls, to reduce the identified risk.
• Avoid: Avoiding one or all actions that lead to the risk.
• Transfer: Changing the impacted party (in whole or in part) for a risk event from the organisation in question, to another willing party.
• Accept: Taking no further action in relation to the risk, and accepting the likelihood of the assessed impact occurring. This should only occur when a risk is within the organisation’s risk appetite.

Once the risk treatment options have been selected for each identified risk, a risk treatment plan can be developed for each risk for which the selected treatment option is not ‘accept’. The plan should clearly identify the actions to be taken to reduce each of these risks to an acceptable level. For the risk treatment options of ‘avoid’ or ‘transfer’, stakeholders are often required to help determine the appropriate risk treatment actions. For the risk treatment of ‘mitigate’, consideration should be given to which control(s) would result in the optimal amount of risk reduction.

At the conclusion of the Risk Treatment phase, the IRAM2 process is effectively complete. You will have developed and guided the implementation of a risk treatment plan for every risk in the prioritised residual risk profile. The practitioner should ensure that the final prioritised residual risk profile is recorded in the appropriate risk repositories and managed on an ongoing basis as part of the organisation’s broader enterprise risk management process.

Identify, Analyse and Treat Risk

Threats, threat events, vulnerabilities and potential impacts are not necessarily static. This results in the need for the practitioner and key stakeholders to review risks on a regular basis, as well as when any contributing factor in the organisation or environment significantly changes.

As information risks and cyber security threats increase, organisations need to move away from reacting to incidents and toward predicting and preventing them. Developing a robust mechanism to assess and treat information risk throughout the organisation is a business essential. IRAM2 provides businesses of all sizes with a simple and practical, yet rigorous risk assessment methodology that helps businesses identify, analyse and treat information risk throughout the organisation.

About the Author Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

This article is brought to you by Enex TestLab, content directors for CSO Australia.