If yours is like most organizations, you have a policy or requirement of periodic (usually annual) risk assessment. Financial organizations and medical concerns, for example, fall under this requirement. Also, many organizations that have no regulatory requirement to perform risk assessment, perform one as a matter of best practice. And since you are doing one anyway, you might as well get maximum use from it.
It is the season when many concerns are allocating resources for the coming year. The information security budget is usually limited, even if it is adequate to protect the system and the information it contains. It is therefore very important that information security dollars be allocated wisely, and to maximum effect. To make a wise decision, you need to have the best and most current information. The results of an enterprise-level risk assessment are an excellent source of such information.
When an enterprise-level risk assessment is performed, the assessors examine the organization’s security policies and practices across the board, including technical, operational and management security arrangements. Business processes, IT systems, communications systems, vendor relationships, business continuity arrangements, incident response programs and compliance requirements are all included in the examination.
For each business process, the assessors consider threats and threat actors that could menace the process, vulnerabilities in the system that could possibly be exploited by those threat actors and the possibility that these vulnerabilities may be exploited. The sum of these factors equals the level of risk the business process or system is exposed to. Usually, this is expressed in terms of high, medium or low risk. When considering the possibility of a threat vector being exploited, the assessors will consider recent history of compromises to similar organizations, and will also consider possible threat actions that are currently emerging.
Examining the results of these studies gives management the information they need to both ascertain the current risk to individual business processes and to the system as a whole. Such a broad snapshot of security processes and risks gives consumers the gift of perspective, and prevents them from focusing to closely on any one current or planned control. Applying security controls in a holistic manner, ensuring you are applying each one properly so as to leverage and support the others, is the ultimate goal of an efficient and effective security program. Leveraging the hard-won information provided by a good enterprise-level risk assessment is smart way to help achieve that goal.