Evaluating and tracking security risks and remediations
As COVID 19 restrictions are relaxed organisations need to analyse the risks in the way individuals meet and work together. This usually involves some means of analysing potential risks and how they will be dealt with. To the computer security professional the concept of risk and how to minimise it will be old news. These risks might be from security issues or from failing to meet industry compliance guidelines.
Risk analysis is the process of investigating potential risk. The risk register is part of the wider risk analysis process and can be seen as a means to ensure that the findings of the analysis are addressed and kept under control. The analysis process could be extensive and detailed but the register allows tasks to be broken down and kept under control. The risk register will be the tool to monitor and control the risks that have been identified. The register will give individuals authority over specific risks. It is essential that those authorised have the knowledge, time and understanding to work with their particular tasks.
An on-line search will reveal a variety of risk register templates; either blank or with exemplar data. There is an advantage to starting from an existing register as this gives some idea of how risks might be categorised. The pitfalls include carrying over exemplar text that does not fit in well with the real system being investigated. There is also the problem of ‘known knowns’ and ‘unknown unknowns’. If a risk can be identified (known) then attempts can be made to tackle it. If a risk is unknown by definition it is not going to be on the risk register and can’t be addressed. The first stage of drawing up a risk register is to identify possible risks; relying on an existing template should not be seen as satisfying risk identification. These risks need to be clearly defined, with a concrete cause and effect. If a risk is not well defined then clear steps cannot be taken to control it.
Risks need to be prioritised both in terms of their possible severity and the order in which they should be dealt with. Addressing ‘low hanging fruit’ from within the register will improve security with limited effort. On the other hand some risks may require immediate addressing regardless of the resources required to do that.
Risks will not always need to be ‘solved’. In some cases the costs of mitigating a risk would exceed the possible financial loss from the risk itself. If it is not possible to overcome a risk then that decision should be accepted and noted on the risk register.
The risk register should specify the system to which it applies and the boundaries of the investigation. This will help eliminate entries over which the organisation cannot possibly control. The identified risks will need to be categorised as to their severity and measures put down as to how each risk will be alleviated or responded to and who is ultimately in charge of that risk.
It must not be seen as a ‘fire and forget’ process. The risk register is a living document that needs to be regularly updated. Even if there have been no changes in staff, systems or procedures the risk register entries need to be reviewed. A better means of accommodating a risk may be worked out and new risks identified. If a risk has been overcome and no longer has a place on the register; it and the resources assigned to deal with it should be removed from the register. Any changes need to be tracked and signed off then passed on to those allocated to deal with the risks.