Earlier this year after a session I gave at a conference, an attendee who was new to information security, and had just been assigned this responsibility at a mid-sized organization in the healthcare industry, asked if he could visit with me for a while about risk management. Well, of course! During the course of our conversation I learned that he had gotten some very bad advice about risk management in general, and risk assessments in particular. I know from reading various comments throughout the social media discussion sites that bad advice is becoming far too common, with many vendors touting in their marketing materials that their risk assessment methodology is the only acceptable, or “the only bona fide” way that it can be done, or that risk management is synonymous with risk assessment. Wrong and wrong!
“Risk management is the same as risk assessment”
Wrong! I’ve heard this statement many times over the years by business leaders with no information security background, but with resource approval powers. I’ve also heard it from IT folks new to information security responsibilities. It is important to understand that a risk assessment is an important and valuable tool that is part of the full risk management process, but it is far from being the only tool. There are other important and necessary actions that should be part of a risk management program. Generally a risk management program should include:
- Context establishment: You must determine the organization’s business, the value of information to the business, and the contexts within which the business operates to effectively identify and then successfully manage information risks.
- Risk assessment: At a high level, this is a structured and repeatable process for identifying (through quantitative and/or qualitative measures) risks to information assets within the context of an established scope of inspection for business practices.
- Risk treatment: This is determining, using the prioritization of risks from the risk assessment, the most appropriate controls within the context of the applicable scope of business to reduce, retain, avoid, or transfer the identified risks.
- Risk acceptance: When identified risks have been mitigated through the risk treatments, then the appropriate business leaders must determine if the level of remaining risk is acceptable and then the appropriate responsible individual/team should formally document this decision.
- Risk communication: The risk information identified throughout all the other risk management steps should be appropriately communicated from the decision maker(s) to the key stakeholders.
- Risk monitoring and review: This is so critical, and so often not done! As changes are made within the business environment, existing risk levels will change and new risks will be created. Activities, beyond the formal risk assessment, should occur on an ongoing basis to identify the changes within the context of the organization as early as possible.
This list of program elements demonstrates that while risk assessment is an important part of the overall risk management process, there are many other activities necessary as well. By the way, each of these risk management topics is more fully defined within ISO/IEC 27005.
“Risk management is an IT-only activity”
Wrong! A holistic risk management process integrates risk management throughout the entire business processes, at every point where information is collected, accessed, stored, shared, and throughout the time it is destroyed or otherwise completely removed from the business and no longer needed. You must consider not only the technology aspects, but also all the applicable physical risks and administrative risks. This requires key stakeholders from all areas within the organization to be involved.
“Organizations must eliminate 100% of information security and privacy risks or face fines and other penalties”
Wrong! Risk can never be completely eliminated. However, organizations must mitigate risks to acceptable levels, and manage that risk on an ongoing basis. The appropriate business leaders (which are typically not those who are actually responsible for risk management) must determine the levels of risk that are acceptable, as well as the most appropriate methods (e.g., reduce, retain, avoid, or transfer) to mitigate the risk. Managing risk doesn’t mean completely fixing everything, nor does it mean not fixing anything.
“There is only one acceptable way to do a risk assessment”
Wrong! Regulatory oversight agencies generally do not prescribe just one way to perform risk assessment; there is no such thing as a single, solitary acceptable way to perform a risk assessment. In fact as just one example, the Department of Health and Human Services often makes a point of stating that they do not require one specific method for risk assessments. For example, they have advised: “There are numerous methods of performing risk analysis and there is no single method or “best practice” that guarantees compliance with the Security Rule. Some examples of steps that might be applied in a risk analysis process are outlined in NIST SP 800-30.”
Also consider that the authoritative definition of risk assessment provided by NIST SP800-53 Rev 4 lists three different categories within which risk assessments fall:
- Quantitative Assessments
- Qualitative Assessments
- Semi-Quantitative Assessments
Each organization needs to determine the best risk assessment methodologies to use based upon their business, the scope of each risk assessment, and the context within which the associated information is processed. Some appropriate risk assessments may be high level, such as the free one I created to help covered entities and business associates to identify their HIPAA compliance risks, and others may be very detailed and take a large amount of resources and time to accomplish, such as those performed to accomplish ISMS certification.
Bottom line for organizations of all sizes…
Every business, no matter how small, needs to have a risk management process in place to be able to effectively mitigate information security risks. There are many different ways to manage risks; the best methods for each organizations needs to be determined based upon the organization’s services and the context within which information is collected, processed, stored, shared and disposed of.
Would you like to have a good reference document for comprehensive risk management? Here are a couple of widely-accepted and often used authoritative documents:
- NIST Special Publication 800-39 Managing Information Security Risk
- ISO/IEC 27005 Information Security Risk Management
Tags: compliance, compliance documentation, documentation, HIPAA, Information Security, information security risks, infosec, midmarket, policies, privacy, privacy professor, privacy risks, privacyprof, procedures, Rebecca Herold, risk assessment, risk management, risks, SIMBUS, training