Our economy, society and individual lives have been transformed by digital technologies. They have enabled improvements in science, logistics, finance, communications, and a whole range of other essential activities. As a result, we have come to depend on digital technologies, and this leads to very high expectations of how reliable these technologies will be.
Every organization has to make difficult decisions around how much time and money to spend protecting their technology and services; one of the main goals of risk management is to inform and improve these decisions. People have had to deal with dangers throughout history, but it’s only relatively recently that they’ve been able do so in a way that systematically anticipates and aspires to control risk.
Security risk analysis is fundamental to the security of any organization. It is essential in ensuring that controls and expenditure are fully commensurate with the risks to which the organization is exposed.
Establishing a Risk Landscape allows organizations to identify their strengths and opportunities to improve. It helps initiating risk tolerance discussions across the company, enhance ability to set security priorities, develop budgets, deploy security solutions. You can define your risk tolerance baselines, identify areas of overinvestment and underinvestment.
Information Security Risk Management
Information security risk management, or ISRM, is the process of managing risks associated with the use of information technology. It involves identifying, assessing, and treating risks to the confidentiality, integrity, and availability of an organization’s assets. The end goal of this process is to treat risks in accordance with an organization’s overall risk tolerance.
Organizations should not expect to eliminate all risks; rather, they should seek to identify and achieve an acceptable risk level for their organization
Identify assets: What data, systems, or other assets would be considered your organization’s “crown jewels”? For example, which assets would have the most significant impact on your organization if their confidentiality, integrity, or availability were compromised?
Identify vulnerabilities: What system-level, network-level or software vulnerabilities are putting the confidentiality, integrity, and availability of the assets at risk? What weaknesses or deficiencies in organizational processes could result in information being compromised?
Identify threats: What are some of the potential causes of assets or information becoming compromised? For example, is your organization’s data center located in a region where environmental threats, like tornadoes and floods, are more prevalent? Are industry peers being actively targeted and hacked by a known crime syndicate, hacktivist group, or government-sponsored entity?
Identify controls: What do you already have in place to protect identified assets? A control directly addresses an identified vulnerability or threat by either completely fixing it (remediation) or lessening the likelihood and/or impact of a risk being realized (mitigation). For example, if you have identified a risk of terminated users continuing to have access to a specific application, then a control could be a process that automatically removes users from that application upon their termination.
In this phase the information gathered about the assets is assessed to identify potential risks. There are many frameworks and approaches for this, but majority of the organizations use some variation of this equation:
Risk = (threat x vulnerability (likelihood or probability) x asset value ) - security controls
Once risks have been assessed and analyzed, the next step is to select treatment options:
Remediation: Implementing a control that fully or nearly fully fixes the underlying risk.
Mitigation: Lessening the likelihood and/or impact of the risk, but not fixing it entirely.
Transference: Transferring the risk to another entity so your organization can recover from incurred costs of the risk being realized.
Risk acceptance: Not fixing the risk. This is appropriate in cases where the risk is clearly low and the time and effort it takes to fix the risk costs more than the costs that would be incurred if the risk were to be realized.
Risk avoidance: Removing all exposure to an identified risk.
Regardless of how a risk is treated, the decision needs to be communicated within the organization. Stakeholders need to understand the costs of treating or not treating a risk and the rationale behind that decision. Responsibility and accountability need to be clearly defined and associated with individuals and teams in the organization to ensure the right people are engaged at the right times in the process.
This is an ongoing process. If you chose a treatment plan that requires implementing a control, that control needs to be continuously monitored. You are likely inserting this control into a system that is changing over time. Ports being opened, code being changed, and any number of other factors could cause your control to break down in the months or years following its initial implementation.
Spreadsheets and Word Documents
Spreadsheets and word processing software applications were perfect solutions for people who had to work with financial data and contracts. Risk managers used these solutions to improve the way they can store risk data and analyze it for meaningful insights but there have always been efficiency-related issues. Since these solutions were not designed for risk management, risk managers had to create their own workarounds and do a lot of manual labor to manage risks through these solutions. This meant manually gathering data from multiple sources and standardizing it, manually creating spreadsheets, and entering formulas for analysis, and manually creating risk reports.
Basically, before a risk manager can manage and mitigate risks, they must fashion an ad-hoc solution out of software applications designed for other purposes. They must create spreadsheets that can serve as risk registers and databases and create templates for reports. Each organization may have its own ad-hoc solution so when a risk manager joins a new organization, they have to learn a whole new way of managing risks.
All these inefficiencies quickly add up and result in risk management being a major cost center for businesses. Organizations commit a significant number of employees to manage risks but get suboptimal results.
The 'tick-box' Risk Management
Carrying out cyber risk management solely for 'compliance' purposes can lead to risk being managed in a 'tick-box' fashion, with unintended negative consequences. This can prevent organizations questioning whether they have ticked the right boxes, leading to overconfidence in how well risks have been managed.
Conducting the tick-box risk management for the sake of complying with a certain standard can be worse than no risk management at all.
Risk management cannot be just a reactive process (discovering excessive risk after it has been created). Digital risk and trust are fluid, not binary and fixed, and need to be discovered and continuously assessed rather than conducting assessments on-need basis.
Digital business risks can be discovered, anticipated, predicted and assessed with risk- prioritized pre-emptive actions taken to change the organization's security and risk posture. Continuous risk monitoring can provider alerts for the security and business leaders to areas about unexpected or excessive risk.
Disconnect between GRC and SOC
Risk is always present. It is the lack of visibility and intelligent management of risk that can be catastrophic. The disciplined and structured approach to proactive and reactive discovery assessment and response digital business risk is imperative.
In digital business, the detection of risk in how sensitive data is being used might be as important as that of a denial of service attack on a server. Both incidents represent risk and must be prioritized so that our limited SOC resources can focus their efforts. In many cases, these risks are intertwined (the malicious actor infiltrates the organization and then tries to steal sensitive data), so we must stop treating these as separate problems.
Traditional security operations center (SOC) monitoring and response has focused on the rapid detection and response to attacks. However, access-related risks, such as theft of sensitive data, insider threats, and account takeover by attackers, must also be detected and responded to. Security operations must extend to include identity/entity-related, data- related and process-related risk assessment and monitoring.
Risk Management with SIRP
SIRP provides a one window solution for the GRC teams and SOC teams to work on a single platform and bridge the gap between their findings and results. SIRP ties organizational risks to incidents, vulnerabilities, and threat intelligence data to generate a threat score called SIRP Security Score (S3).
SIRP Security Score (S3) quantifies your organization’s “Threat Exposure”. It is based on SIRP’s Predictive Scoring System – SPSS. This score tells you how exposed your organization is to external and internal attacks. SPSS uses more than 25 unique factors in a model to predict the likelihood of a successful attack or a possible breach within your organization. The scoring system also pinpoints the areas in your security operations which should be given the highest remediation priority. You can manage your entire risk management program with SIRP from initiating risk assessments to managing risk treatment plans.
SIRP provides a customizable risk management approach that helps you map risks to assets and prioritize them across the organization for treatment. Being able to incorporate any risk framework helps organizations improve business productivity by 8analyzing the impact of potential risks and mitigation actions as part of forecasts and long-term planning. SIRP can help you reduce the risk of threats, poor or misaligned practices, and operations failures.
GainclearvisibilityintoITrisksandstreamlinetheriskassessmentprocess,acceleratethe treatmentofrisksandestablishcomprehensivereporting.Thelinkbetweenrisksandinternal controlseasescorrelationtokeepupwithchangingrequirementswithinthebusinessand focusresourcesonthemostimpactfulITrisks.Theabilitytotrackandclassifyallriskstothe business-critical information and assets in one place ensures an auditable and accurate record.
Key Features and Benefits
Create a repeatable process for information risk identification
Automate mitigation reminders to your business
Eliminate your reliance on spreadsheets and emails
Collaborate on a central source of truth
Modify your process with ease as your program evolves
Analyze and remediate risks with intelligent reporting
Hold people accountable with automated follow-ups
Customize SIRP to your methodology or use our proven process template
Create relationships between systems, data, risks, business units, controls, and mitigations to gain a complete view of your organization’s risk profile
Rapidly Identify Information Assets
Use SIRP to drive workflow that identifies and captures information assets and their linkage to business processes across the enterprise or quickly import technology assets and classify their underlying data by risk level.
Build Complex Relationships & Risk Scoring
SIRP enables you to create the complex hierarchy of relationships that drive information risk across your business, linking together processes, risks, assets, and controls. Gain insight into how a change in one area of your business will impact your risk profile.
Mitigate, Remediate, or Accept Risks
Use visual workflows to assign activities to business owners and ensure you have proper coverage for all your key risks. Automation rules ensure send reminder emails or ensure the appropriate escalations occur.
Organizations can create their own risk matrix to enhance their visibility by giving different names to different risk score ranges and assigning those score ranges a color. The result is an easy way to understand heatmap that clearly shows your tolerance levels at different risk scores.
Every organization conducts information security risk assessment based on their own risk assessment policy or methodology. For that matter, one organization could be using a different set of fields to define their risks (e.g. Risk, Risk cause, and Business impact) whereas another organization could be using a completely different set of fields (e.g. Threat, Vulnerability, and Asset value).
Considering this, SIRP allows you to use only those fields that are important to you. You can customize the risk’s meta data to keep the fields you will be using in your risk assessment and disable the remaining fields.
The Strategic Way to Manage Risk across the Enterprise
An Integrated View of Risk Management
Effective risk management ties together all key business functions to help the risk team protect the organization, but if a business has multiple business owners across various locations, collecting and analyzing that data can be overwhelming. SIRP’s Risk management module enables risk managers to view all their risks on a single platform
Provide data-driven recommendations that can impact the bottom line.
Focus resources on the risks and controls that make the biggest impact on the organization.
A risk register is used for central monitoring hub for operational risks, including information such as probability, impact, and mitigating actions.
SIRP provides you with a dedicated risks dashboard supported by a number of widgets.
Define your own Risk Assessment Formula
SIRP allows you to choose from various risk formulas depending on your organizational risk management procedure:
Risk = Business impact * Probability/Likelihood Risk = Asset value * Probability
Probably can be defined in two ways:
Auto calculation – Define High, Medium, Low scores manually.
Custom Calculation – Use a formula to get probability levels:
Probability = (Vulnerability Value x Threat Value)
SIRP’s intuitive interface makes it simple for users to interact with the system to provide superior quality information on a timely basis.
Share risk and control data across the enterprise and between departments and teams. Automate workflows to notify risk owners when an evaluation is due or pending. Disseminate best practices and improve internal process.
Real-time visibility of risk levels is impossible when risk assessments are being handled manually. Automating the process gives the executive branch of the organization a live view of the results of the risk assessments across the organization. This data is also rolled up into executive dashboards that present the information in the form of intuitive graphs and charts. The end result of automation is that it is easier for the business units to assess risks, it is easier for the risk managers to collate information and create reports, and it is easier for the executive branch to accurately gauge enterprise risk levels.
Configure risk dashboards, reports and more to deep dive on specific risks are very easy in SIRP.
Insight and Analytics
Risk Committee and Board Reports need to be meaningful, current, accurate and aggregated across business units based on a consistent and standardized taxonomy.
You can configure risk dashboards, reports and more to deep dive on specific risks. Link strategic risk to today’s operations and save weeks of report preparation. Provide executives and the board with their own views for direct access risk data in the system.