Table of Contents
- #Overview | #Standards | #Getting Started | #Resources
- Risk Assessment (ISO 4.1)
- Risk Treatment (ISO 4.2)
Overview
Risk management is an activity directed toward the assessing, mitigating, and monitoring of risks to an organization. Information security risk management is a major subset of the risk management process which includes both the assessment of information security risks to the institution as well as the determination of appropriate management action and setting priorities for managing and implementing controls to protect against those risks. This process can be broadly divided into two components:
- Risk assessment
- Risk treatment
Risk assessment identifies, quantifies, and prioritizes risks against both criteria for risk acceptance and objectives relevant to the organization. The assessment results guide the determination of appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks. The assessment should include both a systematic approach to estimating the magnitude of risks and a process for comparing estimated risks against risk criteria to determine the significance of the risks.
Because this process involves institutional priorities and what is sometimes called the institution's "appetite for risk", this is a management function that obtains its primary direction from institutional leadership. The information security organization may staff this process with the decisions regarding levels of acceptable risk coming from institutional leadership. The Risk Management Framework provides useful guidance for this important step.
The scope of a risk assessment can be either the whole organization, parts of the organization, an individual information system, or even specific system components, or services. The process of assessing risks and selecting controls will need to be performed a number of times to cover different parts of the organization or individual information systems, and to address the constantly evolving changes in security requirements or after a significant change is introduced, for example, a new asset or service is introduced or a vulnerability is exploited or discovered.
Once a risk assessment is completed, the risk treatment can be explored. For each of the risks identified following the risk assessment a risk treatment decision needs to be made. Possible options for risk treatment include:
- knowingly and objectively accepting risks, providing they clearly satisfy the organization's policy and criteria for risk acceptance;
- applying appropriate controls to reduce the risks;
- avoiding risks by not allowing actions that would cause the risks to occur;
- transferring the associated risks to other parties, e.g. insurers or suppliers.
For each of the risks where the treatment decision is to apply some level of mitigation, the appropriate level of controls may be selected from other sections of this Security Guide or elsewhere. Controls should be selected to ensure that risks are reduced to an acceptable level, taking into account applicable federal, state, and local statute as well as other binding regulation; the institutions objectives; operational requirements and constraints; and the cost of implementation and operation relative to potential harm and cost likely to result from a security failure.
It should be kept in mind that no mitigation can achieve complete security. Additional action should be implemented to monitor, evaluate and improve the effectiveness of security controls.
A vulnerability assessment is basically an inventory of all vulnerabilities. It is often thought of as a technical examination (networks scanning, etc.) however, a complete vulnerability assessment would include all physical, process, etc.
The risk assessment considers those vulnerabilities in light of the other aspects of the risk formula - threats and impact (which includes the concepts of both asset and value) so that the potential mitigations that might be applied can be prioritized.
Risk management encompasses risk assessment and vulnerability assessment along with the mitigation. It also includes measuring the outcome of the process, and repeating the process again and again.
Standards
ISO 31000:2009 Principles and Guidelines |
800-30: Risk Management Guide for Information Technology Systems |
PO9 (Plan and Organize, Domain 9): Assess and Manage IT Risks |
PCI DSS, v2.0, released October 2010, is a standard for assisting with compliance with the Payment Card Industry Data Security Standard (PCI DSS). The Self-Assessment Questionnaire is a validation tool intended to assist merchants and service providers in self-evaluating their compliance. |
For a comparison of standards see the Symantec IT Controls Reference Chart.
#Top of page
Getting Started
Definitions
Certain terms are used in any discussion of risk management. The following definitions, selected and reproduced here from the ISO 17799/27001:2005 standard are among those key words and phrases:
- control - means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal nature. NOTE: Control is also used as a synonym for safeguard or countermeasure.
- risk - combination of the probability of an event and its consequence.
- risk assessment - overall process of risk analysis and risk evaluation.
- risk management - coordinated activities to direct and control an organization with regard to risk.
- risk treatment - process of selection and implementation of measures to modify risk.
- threat - a potential cause of an unwanted incident, which may result in harm to a system or organization.
- vulnerability - a weakness of an asset or group of assets that can be exploited by one or more threats.
Key Resources
Although this section of the Security Guide provides links to several useful EDUCAUSE resources, there are three in that collection which are of particular note.
The first is a presentation, Practical Approaches to Effective Risk Management. This presentation is best for those that want an introduction and overview to risk management practices.
The second is the Risk Management Framework. This document provides an excellent, and very adaptable outline, of the entire risk management process oriented completely toward higher education institutions. Its phases, processes, and steps provide a most complete approach to information security risk management and at the same time it is designed with the idea that different schools have different requirements depending upon culture, funding, classification, mission and other factors. It includes many useful examples and "starter kits" for various processes.
The third is the Information Security Governance (ISG) Self Assessment Tool for Higher Education. This document is intended to help an institution assess its reliance on information technology and determine the maturity of ISG at a strategic level. It is particularly useful in guiding a conversation about the state of information security, in gaining institutional buy-in and participation in setting priorities, and tracking strategic improvements over time. It is provided in both PDF form, for easy printing, and as a Microsoft Excel (TM) spreadsheet for easy scoring. http://www.educause.edu/Resources/InformationSecurityGovernanceA/160639
#Top of page
Risk Assessment (ISO 4.1)
Objective: Analyze and evaluate risk.
Take a look at the Sample Request For Proposals (RFP) for those of you wishing to augment your staff resources and utilize external expertise.
Several universities are taking a more proactive approach, partnering with University stakeholders to introduce risk assessments into the project life cycle as early as possible. Georgia State has built their risk assessment into the IT Procurement Review process to introduce security into the process as early as possible.
#Top of page
Third Party Assessments
Institutions of higher education are increasingly using outsourced services. While sensitive data processes and services might be outsourced, responsibility for the associated risk can not. This section provides information to help institutions evaluate the risk of outsourcing.
Institutions can not overlook the need to manage the risk to their information assets that are accessed, processed, communicated to, or managed by external parties (partners, vendors, contractors, etc.). Some external parties provide independent audits based on the Statement on Standards for Attestation Engagements (SSAE) No. 16 (formerly SAS 70) which focuses on the design of controls and their operating effectiveness. When independent audit opinions are not available, institutions might choose to evaluate the risk themselves. For a partial list of consultants used by higher education we have compiled a list of Information Security Risk Assessment Consultants.
It is important to address the risk early in the procurement phase of the relationship with external parties so that roles, responsibilities and expectations can be clearly defined in agreements or contacts. The following EDUCAUSE resources list papers and provide help with contract language and legal issues.
- If It's in the Cloud, Get It on Paper: Cloud Computing Contract Issues
- Suggested Readings on Cloud Computing and Shared Services
- Data Protection Contractual Language in the EDUCAUSE Security Guide
- Legal and Quasi-Legal Issues in Cloud Computing Contracts
- Security Risk Assessment and Analysis portal for EDUCAUSE publications, presentations and other risk assessment and analysis resources.
- Risk Management portal for EDUCAUSE publications, presentations and other resources on this topic.
- Privacy Risk Assessment portal for EDUCAUSE publications, presentations and other resources on this topic.
- Foundations for Effective Security Risk and Program Assessment, EDUCAUSE Security Professionals Conference 2010
#Top of page
Risk Treatment (ISO 4.2)
Objective: Develop a plan that identifies the controls necessary to reduce, retain, avoid, or transfer identified risks.
Step 1: Develop options to mitigate risk
Step 2: Confer with management to agree upon strategy.
Alternatively, you can create a risk registry, which is a tool that can assist with managing and tracking risks. You can record the identified risks, their severity, and the actions steps to be taken for each. Be sure to share with management and risk stakeholders. Finally, organizations that have a mature risk management program in place may want to explore purchasing a GRC tool to automate the business processes associated with governance, risk, and compliance. Before investing in a GRC you may want to review the GRC FAQ to assist with building your company's requirements.
Specific Risk Treatment Examples
- Cyber Insurance as a way to reduce risk to their institutions take a look at the Cyber Insurance Portal for EDUCAUSE publications, presentations, videos, and more.
- Standard Person Digital Identifies, was selected by Virginia Tech after completing their risk assessment.
#Top of page
Resources
Campus Case Studies On This Page
Identity Assurance at Virginia Tech
Georgia State University's IT Procurement Review Process--Practical Approach to Assessing Risks of IT Projects (last updated October 2008)
EDUCAUSE Resources
- Practical Approaches to Effective Risk Management, Presentation at EDUCAUSE Annual Conference, 2011
- If It's in the Cloud, Get It on Paper: Cloud Computing Contract Issues, Presentation at the West/Southwest Regional Conference, 2011
- Proactive Compliance through Information Systems Risk Management, Presentation at the MidAtlantic Regional Conference, 2011
- Cyber Insurance portal for EDUCAUSE publications, presentations and other resources on this topic.
- Suggested Readings on Cloud Computing and Shared Services in the EDUCAUSE Security Guide
- Legal and Quasi-Legal Issues in Cloud Computing Contracts
- Taking Risk Assessment from Project to Process: A Novel Approach Presentation at the Security Professionals Conference, 2010
- Risk Management Framework for an adaptable approach to risk management oriented toward higher education.
- Risk Assessment Tools for a list of some tools available to aid in risk assessment and management.
- Information Security Risk Assessment Consultants for a partial list of consultants used by higher education.
- Security Risk Assessment and Analysis portal for EDUCAUSE publications, presentations and other risk assessment and analysis resources.
- Risk Management portal for EDUCAUSE publications, presentations and other resources on this topic.
- Information Security Governance Assessment Tool is intended to help a president or institutional leadership identify general areas of concern as they relate to the ISG Framework.
- Privacy Risk Assessment portal for EDUCAUSE publications, presentations and other resources on this topic.
- Foundations for Effective Security Risk and Program Assessment, EDUCAUSE Security Professionals Conference 2010
- Governance Risk Compliance (GRC) Frequently Asked Questions 2012
Initiatives, Collaborations, & Other Resources
- Statement on Standards for Attestation Engagements (SSAE) No. 16 (formerly SAS 70) focuses on the design of controls and their operating effectiveness.
- Payment Card Industry Standard (PCI)
- Verizon's Annual Data Breach Investigations Report provides known threat vector information
- Evaluating Cloud Risk for the Enterprise: A Shared Assessments Guide
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.