Information security, and really security of any kind, always starts with a risk assessment. This may not be a formal process – you probably didn't bust out an excel spreadsheet prior to installing an alarm system at your house, but I'd be willing to bet that you've informally assessed the risk of someone robbing your home. If you're me, you decided the secondhand furniture you own didn't warrant paying an alarm fee every month. Someone living in a city with a high-rate who owns nice things, however, would assess the risk differently and probably come to a different conclusion. Assessing risk is an integral part of decision making. As an information security consultant, I see many banks who don't think of a risk assessment that way. They think of it as a chore that must be done annually so they won't get in trouble with an examiner – compliance for compliance sake. I'm on a mission to change that perception, so I wanted to highlight a few options or items you can add to your risk assessment to make it your own…to give it meaning and value for your bank.
Threat-Based vs Asset-Based Risk Assessments – One question I hear a lot is, "Which of these RAs is better?" My answer is: both! They're both valuable in different ways. A threat-based RA is going to list multiple threats to information security and include risk levels and other details for each threat. It can give you a big picture of where your institution stands on information security threats and how adequate your controls are. An asset RA will start with an information asset (any machine, cabinet, or person that holds information). Each threat to information, threat details, and risk levels would then be listed within the context of that one asset. It can give you a more detailed look at a smaller piece of your information security puzzle. I would say that most institutions can benefit from a hybrid approach to risk assessment. One big snapshot and more detailed RAs as needed.
Inherent vs Residual Risk – Most people are familiar with residual, or overall, risk ratings. It means you've thought about the likelihood that something bad could happen, the potential damage if it did happen, and all the controls you have in place to prevent it from happening or to at least make it less painful. With all this in mind, you arrive at an overall risk rating. Inherent risk is the initial risk – the risk you come to without thinking of your controls, when you're only considering the likelihood of this threat occurring and the damage it could cause if it did. An inherent risk rating is not a universal requirement for information security risk assessments, but some examiners have been known to "encourage" it. Looking at the difference between inherent and residual risk ratings can help from an auditing perspective. If you look at an asset that started out with a high inherent risk rating, and your controls brought it down to a low overall risk, then you really want to make sure those controls are working. Do you want to make sure all controls are working? Sure. But you're going to put more verification, oversight, and auditing in place on these controls than you would on a system that started out with a low inherent risk rating.
Risk Management Plan/Details – This is where I believe your risk assessment work provides value. It's sort of the conclusion to each risk rating. This is where you decide if your controls are sufficient. If the risk level is too high for you, you may want to add additional controls, research other options, or transfer some of your risk to an insurance company if applicable. You may want regular testing done to ensure your controls are working. You may want to document target dates for implementing something new in response to the overall risk level. This is your action item section.
I believe that understanding and utilizing these options can make your risk assessment a living document that helps your institution make informed decisions about controls and offerings.