Risk Assessments

The risk team's responsibilities are:

1. Gather and organize necessary data

2. Perform critical asset, threat, risk, and cost/benefit analyses

3. Formulate protection strategies

4. Report results

Gathering and organizing information might consist of documenting the results of e-mail and personal interviews where persons within the organization are interviewed, as well as collecting already existing documentation. This does not mean contacting employees in management positions only, it means talking to employees having operations knowledge. The most time-consuming interviewing method is the personal interview. There are circumstances that dictate a boardroom-to-boiler-room scale of questioning, which depends on the size and structure of the organization as well as the experience of the risk team. Personal interviews allow clarification and free exchange of ideas; however, if the team is faced with a large-scale organization, it is strongly suggested that you use a combination of sending questionnaires via e-mail first, then review them and conduct personal interviews of more-critical positions.

Respondents usually provide valuable information in the way of their opinions about critical assets and perceived threats. Take the necessary time to review each returned questionnaire. Frequently overlooked is the organization's internal documentation. If the organization has had a recent security audit or other type of operational assessment, ask to see the final report. A related and useful document is the organization's last audit report. Search for the organization's response to the audit. It will likely contain the findings of the audit and the corrective actions taken.

Ask for data flowcharts, organization charts , and lines of authority, human resource directories, equipment inventories, policy and procedure manuals, and software inventories. All these documents will help identify critical assets.

Performing a threat analysis is a multi- faceted task. The first step is the identification of critical assets required to continue profitable operations over a given period of time after the critical incident happens. Critical asset prioritization is an essential part of the threat analysis process. Threats must be considered, as they impact specific assets. Threats must be considered in light of their frequency and whether they will affect critical assets in part or as a whole.

Keep threat assessments within reason. It is unreasonable to consider the chance of hurricanes impacting the Rocky Mountains or snowfalls in Brazil. Frequently, risk assessments measure the impact of threats such as fires, floods, hackers, and viruses, and ignore the employee who is sending off- color jokes through the organization's network. The risk team must consider the probability of malicious or unethical employee behavior negatively affecting assets.

Likely the most-valuable source of employee behavior policy information may be found in the employees' handbook or the organization's Human Resources Department. If the business has weak or nonexistent employee behavior policies, this should be brought to the attention of the executive sponsor. Immediate action is required to address this matter.

Formulating protection strategies starts with evaluating asset safeguards already in place, the effectiveness and cost of those safeguards as they relate to protected assets, and future safeguard needs. An important idea supporting protection strategies uses the "what-if" idea. This process takes place in imaginary scenarios:

• What if an employee e-mailed an offensive joke from his workstation to other employees in the company?

• What if an intruder compromised a mental health patient's records?

• What if an employee steals the organization's trade secrets or intellectual property?

This method has the effect of adding safeguards to the protection strategy testing to determine the difference each safeguard makes in relation to its cost and effectiveness. A good question to be posed by the risk team: What is the level of fault tolerance in each of these "what-if" scenarios? In considering "what-if" scenarios, the risk analysis team must have a good knowledge of the business organization, its processes, and excellent communications skills. During the process of completing the project, if the team discovers it does not have sufficient knowledge of a subject, then the team must decide to augment their knowledge and seek outside resources.

Reporting results is the most important task performed by the team.