21) Does your organisation conduct security risk assessments for your full IT estate at least annually?
Answer yes if your organisation conducts regular (at least annual) security risk assessments against the whole IT estate and takes appropriate action. Following a risk assessment, identified risks should be tracked, with assigned owners and risk treatment plans.
What is it?
Information Security is in large parts about risk management. Quite simply, we improve security by removing risks as best we can within a certain scope and level or resource.
The first step to being able to do so is assessing what risk your IT estate faces. Your organisation should therefore have a policy stating that risk assessments are to be performed as part of your risk management strategy. This policy should also define the scopes of these assessment.
Why should I have it?
Only once the IT estate has been assessed for risks, a list of those risks established, and severities and remediation costs for those risks estimated can a thorough risk management strategy take effect.
Risk assessments are the foundation for risk management. It generates the list of risks that the Information Security function must address, within the limits of their remit and resources.
An organisation that does not perform risk assessments likely lacks the awareness of what risks it faces and is therefore highly unlikely to have an effective Information Security function to address those risks.
For a potential client, discovering that a potential supplier on whom they (the client) would rely on for essential business services (or would otherwise need to trust with sensitive information), did not perform IT risk assessment activities is likely to cause significant alarm. It is likely to make the proposition untenable due to the likely policy violations and business risks it would trigger.
It also indicates a significant gap in governance that puts you, the potential supplier, at risk as well.
During the risk assessment process, if significant changes to risk levels are identified which will significantly impact your customers or other stakeholders (e.g. the board, shareholders), it is important to communicate those changes quickly and transparently, and work collaboratively on risk treatment plans.
How to implement the control
Implement a risk management policy and process. The policy should dictate the frequency and scope of risk assessment activities, as well as prescribe that your risk management processes identify risks - including what systems or data may be at risk, from what threats, because of what particular vulnerabilities, and so on - then evaluate those risks and lead to decisions on what controls or corrective measures should be put in place.
Record and track all of the above for accountability and auditability reasons, and review as necessary as part of ongoing risk management and continuous improvement efforts.
There are numerous consultancies or individual consultants that will be able to assist in crafting a policy and process that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
