Security Risk Assessment

Organizations have many reasons for taking a proactive and repetitive approach to addressing information security concerns. Legal and regulatory requirements aimed at protecting sensitive or personal data, as well as general public security requirements, create an expectation for companies of all sizes to devote the utmost attention and priority to information security risks. An IT security risk assessment takes on many names and can vary greatly in terms of method, rigor and scope, but the core goal remains the same: identify and quantify the risks to the organization’s information assets. This information is used to determine how best to mitigate those risks and effectively preserve the organization’s mission.

Some areas of rationale for performing an enterprise security risk assessment include:

Cost justification
Added security usually involves additional expense. Since this does not generate easily identifiable income, justifying the expense is often difficult. An effective IT security risk assessment process should educate key business managers on the most critical risks associated with the use of technology, and automatically and directly provide justification for security investments.

Enterprise security risk assessments should improve the productivity of IT operations, security and audit. By taking steps to formalize a review, create a review structure, collect security knowledge within the system’s knowledge base and implement self-analysis features, the risk assessment can boost productivity.

Breaking barriers
To be most effective, security must be addressed by organizational management as well as the IT staff. Organizational management is responsible for making decisions that relate to the appropriate level of security for the organization. The IT staff, on the other hand, is responsible for making decisions that relate to the implementation of the specific security requirements for systems, applications, data and controls.

The enterprise security risk assessment system must always be simple enough to use, without the need for any security knowledge or IT expertise. This will allow management to take ownership of security for the organization’s systems, applications and data. It also enables security to become a more significant part of an organization’s culture.

By acquiring information from multiple parts of an organization, an enterprise security risk assessment boosts communication and expedites decision making.

Sample Questions

1.) The organization and its context

Have the internal and external issues that are relevant to the Information Security, and that impact on the achievement of its expected outcome, been determined?

2.) Leadership and management commitment

Is the organization’s leadership commitment to the Information Security demonstrated by:

  • Establishing the Information Security policy and objectives, in consideration of the strategic direction of the organization, and in promotion of continual improvement?

Ensuring the integration of the Information Security requirements into its business processes?

Ensuring resources are available for the Information Security, and directing and supporting individuals, including management, who contribute to its effectiveness?

Communicating the importance of effective Information Security.

3.) Information Security policy

Is there an established Information Security policy that is appropriate, gives a framework for setting objectives, and demonstrates commitment to meeting requirements and for continual improvement?

Is the policy documented and communicated to employees and relevant interested parties?

4.) Roles and responsibilities

Are the roles within the Information Security clearly defined and communicated?

Are the responsibilities and authorities for conformance and reporting on Information Security performance assigned?

5.) Information Security risk treatment

Is there an Information Security risk treatment process to select appropriate risk treatment options for the results of the Information Security risk assessment, and are controls determined to implement the risk treatment option chosen?

Has an Information Security risk treatment plan been formulated and approved by risk owners, and have residual Information Security risks been authorised by risk owners?

Is documented information about the Information Security risk treatment process available?

6.) Information Security resources and competence

Is the Information Security adequately resourced?

Is there a process defined and documented for determining competence for Information Security roles?

Are those undertaking Information Security roles competent, and is this competence documented appropriately?

7.) Information Security objectives and planning to achieve them

Have measurable Information Security objectives and targets been established, documented and communicated throughout the organization?

In setting its objectives, has the organization determined what needs to be done, when and by whom?

8.) Information Security risk assessment

Has an Information Security risk assessment process that establishes the criteria for performing Information Security risk assessments, including risk acceptance criteria been defined?

Is the Information Security risk assessment process repeatable and does it produce consistent, valid and comparable results?

Does the Information Security risk assessment process identify risks associated with loss of confidentiality, integrity and availability for information within the scope of the INFORMATION SECURITY, and are risk owners identified?

Are Information Security risks analysed to assess the realistic likelihood and potential consequences that would result, if they were to occur, and have the levels of risk been determined?

Are Information Security risks compared to the established risk criteria and prioritised?

Is documented information about the Information Security risk assessment process available?

9. Security controls – as applicable, based on the results of your Information Security risk assessment

Are Information Security policies that provide management direction defined and regularly reviewed?

Has a management framework been established to control the implementation and operation of security within the organization, including assignment of responsibilities and segregation of conflicting duties?

Are appropriate contacts with authorities and special interest groups maintained?

Is Information Security addressed in Projects?

Is there a mobile device policy and teleworking policy in place?

Are human resources subject to screening, and do they have terms and conditions of employment defining their Information Security responsibilities?

Are employees required to adhere to the Information Security policies and procedures, provided with awareness, education and training, and is there a disciplinary process?

Are the Information Security responsibilities and duties communicated and enforced for employees who terminate or change employment?

Is there an inventory of assets associated with information and information processing, have owners been assigned, and are rules for acceptable use of assets and return of assets defined?

Is information classified and appropriately labelled, and have procedures for handling assets in accordance of their classification been defined?

Are there procedures for the removal, disposal and transit of media containing information?

Has an access control policy been defined and reviewed, and is user access to the network controlled in line with the policy?

Is there a formal user registration process assigning and revoking access and access rights to systems and services, and are access rights regularly reviewed, and removed upon termination of employment?

Are privileged access rights restricted and controlled, and is secret authentication information controlled, and users made aware of the practices for use?

Is access to information restricted in line with the access control policy, and is access controlled via a secure log-on procedure?

Are password management systems interactive and do they enforce a quality password?

Is the use of utility programs and access to program source code restricted?

Is there a policy for the use of cryptography and key management?

Are there policies and controls to prevent unauthorised physical access and damage to information and information processing facilities?

Are there policies and controls in place to prevent loss, damage, theft or compromise of assets and interruptions to operations?

Are operating procedures documented and are changes to the organization, business processes and information systems controlled?

Are resources monitored and projections made of future capacity requirements?

10.) Operational planning and control

Has a programme to ensure the information security achieves its outcomes, requirements and objectives been developed and implemented?

Is documented evidence retained to demonstrate that processes have been carried out as planned?

Are changes planned and controlled, and unintended changes reviewed to mitigate any adverse results?

Have outsourced processes been determined and are they controlled?

Are Information Security risk assessments performed at planned intervals or when significant changes occur, and is documented information retained?

Has the Information Security risk treatment plan been implemented and documented information retained?