IT Risk Assessments –What, Where, When, Why, How, & Who
The ability to conduct a meaningful and useful Information Technology (IT) risk assessment is a key part of any organization’s strategy to identify, manage and mitigate risks associated with information assets. A risk assessment is the process in which assets, threats, vulnerabilities and controls are identified, categorized and analyzed to determine the risks facing an organization. There’s no “one-size-fits-all” risk assessment methodology for IT risk assessments. However, there are some fundamental characteristics of risk assessments that can be established.
The first question is: Where should we apply our efforts in assessing our IT risks? Determining the scope and objective of an IT risk assessment is the initial step, but risks should not be identified in a vacuum. By applying the concepts identified in the Committee of Sponsoring Organization of the Treadway Commission (COSO) framework, risks should be examined in relation to an organization’s objectives. Defining the scope or boundaries of an IT risk assessment is vital to ensure the results support the objectives, while also being cost-effective. For example, if the objective of the risk assessment is to assess risks associated with electronic protected health information (ePHI), the scope of systems, assets and processes examined would have to include all of those that store, transmit or modify ePHI.
Risk management is an ongoing process in which risk assessments are an integral part. A risk assessment is the logical starting point for any larger risk management, audit or compliance activities associated with your information assets. Risk assessments are not a one-time, check-the-box activity—the results of any risk assessment will need to be integrated into the organization’s ongoing risk management processes. The IT risk assessment should be conducted —or at least periodically reassessed— whenever there have been significant changes in assets, threats, vulnerabilities, controls and external environmental factors such as laws and regulations.
There are at least two very compelling reasons why you should conduct periodic IT risk assessments. First, there are legal and regulatory standards your organization may be operating under that either explicitly or implicitly require an IT risk assessment. These can include regulations, standards and guidelines developed to support the Health Insurance Portability and Accountability Act (HIPAA), Centers for Medicare and Medicaid Services’ Meaningful Use and Gramm-Leach-Bliley Act. Second, the results of a well-designed IT risk assessment will provide your organization with direction for other governance, risk and compliance activities, such as internal audit plans, information security goals, budgeting decisions and analysis of new business opportunities.
The particulars of different risk assessment methodologies can vary, and there are many well-accepted methods. For example, the National Institute of Standards and Technology (NIST) Special Publication 800-30 provides one such methodology. While there are many IT risk assessment methodologies, here are some commonly accepted steps you should include:
- Identify the scope, objectives and critical assets to be assessed
- Identify threats
- Identify vulnerabilities
- Identify controls and countermeasures
- Determine likelihood of risk events
- Determine impact/magnitude of risk events
- Determine risks rating or ranking
- Recommend mitigation and control efforts
- Document and monitor risks
After identifying your assets, threats, vulnerabilities and controls, the typical risk assessment process requires the analysis of the risks in terms of likelihood, magnitude and residual risks. Risk analysis methods can be summarized into one of three general categories:
- Qualitative (magnitude and likelihood are described in detail)
- Semi-quantitative (rating scales are used to normalize magnitude and likelihood and results are mapped to a risk matrix)
- Quantitative (actual numeric values are applied to asset values, magnitude and likelihood)
The level of sophistication and analytical methods used to determine likelihood, magnitude and residual risks depends on the objectives of the risk assessment, the resources available, access to relevant data and time constraints.
While many organizations can and do conduct their risk assessments internally, there are benefits to exploring external resources to assist with your risk assessment activities. These benefits can include independence, specialized skills and industry and professional knowledge as well as IT resources that many organizations consider invaluable.