Does your company perform a risk assessment? If you said yes, what did you mean by “risk assessment”?

I ask because often when people say “risk assessment” they are thinking “gap analysis”. As an IT auditor sometimes our instinct is to select our favorite security framework (probably ISO 27001 or NIST 800-53) and begin identifying gaps in the control environment.

Even when we have “great” audit findings, often we don’t have the context to make meaningful recommendations in a business context. That’s because we need to re-think the definition of risk assessment. (For further reading, Norman Marks provides a great Internal Audit perspective and the Department of Health and Human Services discusses risk analysis in detail as related to HIPAA.)

When is the last time you suggested a $1,000,000 solution for a $100 problem? 

A better risk assessment process begins with context and starts several steps before the gap analysis begins. A well designed risk assessment should drive what level of control is appropriate based on quantified risk and the Company’s risk tolerance. This also gives auditors the tools to make better recommendations.

Here are three things you may want to consider as part of your risk assessment tool belt:

First, consider the context. Are there known external threats or internal vulnerabilities specific to your organization? Are there important corporate initiative that drive business success? Do these factors impact some systems or business units differently than others? How do these facts impact the Company’s risk tolerance and the level of controls required to reduce risk to an acceptable level?

Second, consider the business side of the equation (often called people, processes, and technology). Are there business functions that impact the Company’s ability to earn revenue or that drive profits? How are these business processes supported by technology? What is the appropriate level of control for these systems and processes? Which systems merit a more thorough assessment than others?

Third, inventory your digital assets. What are your “crown jewels” and where do they live (in which applications). For example, where does your Company store mission critical data, where is private employee and customer data? This information will help an assessor make a more accurate judgement when recommending the depth of controls necessary secure a system.

As IT auditors and risk management professionals we should re-think what we call a “risk assessment” and how appropriate consideration of risk will drive future audits and gap analysis.

If you want more information on risk management and risk assessment you may consider reading ISO 27005 or NIST 800-30.

For more information from the risk3sixty team on how to assess, quantify, and visualize IT related risk contact us.