By: Brandon Polk, Director of Compliance Services
Contextual Security Solutions | March 19, 2018 @ 9:52
A required component of all well-known, industry-acceptable compliance frameworks is an annual risk assessment. The Oxford English Dictionary currently defines a “risk assessment” as, “a systematic process of evaluating the potential risks that may be involved in a projected activity or undertaking”. Seems easy enough, right? It is… if you follow the “systematic process” part of the definition. Unfortunately, this is also where we often see organizations utilize a lot of resources with no benefit or value to the business.
Regardless of the process or methodology, the “evaluating the potential risks” portion should in some way assess the people, processes, technologies involved, any mitigating factors, and impacts to the organization. Of these elements, the impact is typically the most difficult to assess. Unless you run a one-man shop, this stage almost always requires involvement from multiple entities within the organization. A lot of risk assessments originate within the information technology (IT) department; however, IT is just one function of the overall business… and a risk assessment is about evaluating business processes, not IT’s.
So what are the risks to your business? Can you classify business impacts into high, medium, and low categories? How are you assessing impact? If you aren’t considering your company’s solvency when assessing impact, how much value are your really getting out of your risk assessment? And what about the process? If you search Amazon or Google, you’ll likely find countless authors and consultancies that all have different ways of conducting risk assessments. How do you choose?
At Contextual Security, we utilize different risk assessment methodologies depending on the size and complexity of the client, their compliance requirements, and maturity. In all cases, we only use industry standard methodologies. We often have clients who have accomplished a risk assessment task before, yet they have no idea how to interpret the results and may not be capable of reassessing in a systematic manner because a proprietary process was utilized but there is a lack of documentation on how the results were derived and/or how they can be reproduced. Once again, you’ve utilized a lot of resources but got no value out of your risk assessment.
If you’re looking for risk assessment services, our recommendation is to select a vendor that doesn’t just give you a deliverable to check a box. Make sure you get value out of your risk assessment. Make sure your risk assessment evaluates true impacts to the business, not just IT. Most importantly, make sure you know what you’re getting, how to interpret the results, and how to repeat the process, especially when personnel change.