Check list: what not to forget when assessing the risks of the IB?

The IB risk assessment process is phased. Of course, it is determined by the specifics of business processes, but three classic stages can be distinguished.

Preparatory phase

A context must be defined before the risk assessment can be started. It must be documented and approved at the appropriate management level, for example, as an IS risk assessment matrix. At this stage:

Create IB Risk Assessment Matrix. It should reflect: IB risk management objectives; Area and boundaries of risk assessment (company, division, project, service, business process, information system, etc.); Allocation of process roles and allocation of resources required for implementation and operation of the continuous process of risk management and protective measures; The main criteria for risk management IS in the selected evaluation area. These include:
• Approach to IB risk assessment. It can be qualitative, quantitative, high-level or detailed. You can combine several approaches at once.
• Evaluation criteria - in terms of potential financial damage, compliance with statutory or contractual obligations, interruption of operations, discrediting the image of the company and other applicable categories in the selected evaluation area;
• Determining the risk levels of the IB and the risk acceptance criteria of the IB depending on the requirements and objectives of the process customer.

Quantitative analysis focuses on specific numbers and is best suited for calculating benefits and specific costs (for example, the penalty described in the contract, service downtime, man-hours, etc.). It works when the threats being worked out and the risks associated with them are actually compared with the final quantitative values. It is worth noting that quantitative analysis "eats" a lot of resources, since it is necessary to take into account all the bones. Qualitative analysis focuses on descriptive characteristics (e.g., Extreme, High, Medium, Low), is suitable for situations where uncertainty is significant, and quantitative analysis is not applicable. It is less resource intensive, but also the error has higher, since it includes a significant fraction of subjectivity. But the world is not black and white, so there are hybrids of quantitative and qualitative approaches, which, in turn, can show the greatest effectiveness for a particular organization. Anton Mertsalov, Head of the Information Security Operational Control Group of ICL Services

Distribute Roles

Best practice solutions may not be appropriate for a particular company, and processes may require adaptation. However, you can distinguish several of the most useful roles among all kinds of RASCI matrices (responsibility distribution matrices):

Owner of IB risk. Applicants for this role are determined on the basis of ownership of assets (processes, services, information or systems) at risk of IS. In other words, it is the decision maker who is most interested in avoiding risk realization; Risk Manager IB. This is an engine, a catalyst for working with every single risk. In many companies, he does all the "black" work on the process, leaving the owner only to agree on a solution; Initiator of IB risk identification. It becomes any employee who discovered and reported the risk. The company must have a well-developed risk culture so that employees "highlight" this to the IB service; Process Manager. He monitors the efficiency of the process, which implies a huge amount of work, especially during the piloting phase of the process; Expert. Usually this is a representative of a specific department of the company, who can assess the impact of risk by the profile category of influence reflected in the risk matrix, or critically evaluate the results of the risk analysis by the risk manager, find weaknesses.

From communication with people responsible for working with risks in companies, it becomes clear that there is often a disregard for the opinion of experts, or rather sometimes it is not requested, and, therefore, a comprehensive risk analysis is not. Especially when the company uses any box solutions to assess the risks of IB, "says Anton Mertsalov.

Stages of the IB risk assessment process

Risk Processing Stage

At this stage, it is important to:

Create Risk Plan

Based on the results of the risk assessment (if necessary, with the help of experts), the owner decides on the choice of a risk management strategy: Reduce the risk of IB to acceptable values by introducing new or changing existing protective measures; Take the risk of IB without introducing any additional protective measures; Avoid the risk of IB by abandoning any business activity or conditions that give rise to the risk of IB if the risk of IB is too high, or the cost of reducing it exceeds the benefits of this business activity or conditions; Share IB risk with any external party that is able to most effectively manage IB risk.

Quite often, the decision is made on the basis of primarily formed ideas or even high-level plans for the assumption of economic feasibility. But the best option will be a full-fledged economic justification for the chosen strategy. It identifies the resources necessary for the implementation and operation of measures aimed at achieving the chosen strategy, "notes Anton Mertsalov.

Generate Threat Model

Any company can form its own, tailored to the specifics of doing business, threat model. Sources of threats are often taken as typical. In Russia, the division of sources of threats into natural (fire, epidemic, etc.), anthropogenic (threats from internal employees or external people, including intruders) and man-made is quite widespread.

To build an IS threat model, you need:

Identify the sources of threats that apply to your company; Identify critical assets; Define a list of threats for each asset; Identify how threats are implemented Identify the consequences of possible threats.

To facilitate the task, you can take advantage of best practices (Grundschutz, for example) and be sure to take into account that threat models are compiled on the basis of constantly changing data and therefore should be regularly revised, updated.

Classification of IB threat sources

Monitoring phase

Here you need to:

Regularly monitor the relevance of the risk management context and the risks themselves, including those accepted.

{{quote 'Often in companies, accepted risks fall out of monitoring. They recall them, unfortunately, already as part of the incidents, "says Anton Mertsalov. - If the reduction plan is worked out and the risk is accepted, most often the probability of realization of this risk still remains above zero, and, therefore, it is necessary to have a budget for realization of this risk. Lack of a budget for reactive actions is a frequent business error. }}

Document all actions

It is important to record all information received or decisions made in the relevant document: risk register or risk passport. This will make it possible to notice flaws and inconsistencies, and, therefore, avoid untimely identification of risks, loss of reputation and finance, violation of legislation or contractual obligations.