Learn how make a risk assessment framework for your business. 

George Mateaki, CISSP, SecurityMetrics
By: George Mateaki
Security Analyst
CISSP, QSA
How much do you know about conducting a risk assessment? If your answer is, “not a lot,” you’re not alone.

Risk management for businesses can take on many forms. Depending on the size and complexity of an organization, risk management will receive varying levels of resources, and in most cases, play a critical role. From a business perspective, risk management requires serious consideration from both a compliance and a due diligence perspective.
risk assessment

Many businesses have difficulty making and implementing formal risk assessments. Here are a few basic questions your business may have.

SEE ALSO: 5 Steps to Making a Risk Assessment

Why do a risk assessment? 

The PCI DSS requires you to perform a formal risk assessment at least annually. This formal risk assessment should have a well-documented report that ranks risks and tracks remediation items.
If you aren’t performing and documenting a formal risk assessment, you’re not PCI compliant.
Risk management frameworks also give you a methodical approach to documenting and addressing the most important risks that face your organization. Once these are identified, they’re then ranked and appropriate resources allocated to mitigate those risks.

Remember, don’t do the process just to meet a PCI DSS requirement; perform this task as if your business depends on it because that’s the type of attention it requires. What would put you out of business? What would cause the most damage to your businesses reputation? These are the questions you need to ask and address.

This is definitely not an exercise to Google, grab a sample of the Internet, modify it to look legitimate, and call the PCI DSS item completed . . .

SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant

How is risk defined? 

Risk is defined and quantified by using the formula of impact multiplied by probability. Taking the example of a fire destroying your warehouse; the probability is calculated by getting the number of warehouses destroyed by fires in your particular industry for a given period (e.g. ten years). That is multiplied by the value of your warehouse if it were destroyed by fire. The value is determined by what insurance would not cover and the costs of getting things back to normal. Assessing a monetary value with probability will help in ranking the various risks.
Put simply, risks are what harm business, financially and security-wise. You’ll need to prioritize and address which risks will cause the most damage to your business.

SEE ALSO: SecurityMetrics NIST 800-30 Risk Assessment

What types of risk management standards should I use?

risk managementThe standard of risk management to be used will depend on your business’s unique environment.

The PCI Security Standards council (2012) provides a good starting point in terms of typical industry-accepted risk management frameworks. Their guidance lists ISO27005 (ISO is not an acronym and means equal in Greek), NIST (national institute of standards and technology) 800-30, and OCTAVE (operational critical threat asset and vulnerability evaluation) (2012).

The ISO27005 (ISO, n.d.) is part of the ISO 27K series and fully supports that basic definition of the 27001 information security standard. Most CISSP (certified information system security professional) referred to it affectionately as the “crispy” certificate (what you feel like after the exam), should be able to tell you that the 27001 Information Security standard requires data classification. This is a big part of quantifying what you have and determining value as part of the risk ranking process. You need to understand what you have before you can determine risk based on probability and impact.

The NIST 800-30 (NIST, 2012) is another industry standard based on federal requirements. NIST (2012) describes risk management as a way for organizations to “identify, estimate, and prioritize risk,” which leads to supporting either the mission or the business.

OCTAVE, a product of the Software Engineering Institute of  CMU (Carnegie Mellon University), also provides a highly regarded approach to risk management. OCTAVE methods are self-described as “self-directed, flexible, and evolved,” and use cross-organizational teams (across the various business units) that work together with IT to address information security risks.

The formal risk assessment brings value in getting the big picture in terms of the business and what resource allocation should occur based on the risk ranking. Viewing the formal annual risk assessment requirement as a checklist item is a bad approach to information security.

Remember, you can’t protect your business from risks you aren’t aware of.

Not sure if you’re PCI compliant? Let’s see where your business is lacking. 

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.