Assessing risk is all about extrapolating meaning from potential. In other words, look at what could happen and consider how those things would affect you. The process can be as complicated or as simple as you choose to make it. At the end of the day, risk assessments are a way to become aware of potential issues and of controls to alleviate those dangers. You do not have to think of every potential scenario. In fact, considering what is common covers the majority of threats.
With regard to risk management, there is a balance between a thorough program and a sufficient program. Eons of great data and calculations are useless if they do not convey a message to improve your risk posture. Remember, the risk assessment is merely a means to the goal, which is ultimately understanding and improvement.
What about vendor risk assessments?
How do inherent and residual risk work when considering vendors who provide their own controls? I will not be so bold as to say that inherent and residual risk do not apply when assessing vendors. I will say the perspective is quite different. For vendors, there is inherent risk that comes with particular services. Is that something you need to assess and document?
Let me describe to you something I like to call "Translated Risk." Translated risk is the risk you take on when you receive service from a vendor. Of course, you could apply controls, such a reasonable user requirements, to reduce certain kinds of risk. However, in most cases, you cannot reduce a vendor's risk. You simply manage existing risk, or in other words, perform vendor risk management. You monitor the vendor's control reporting to ensure you are aware of any substantial changes. Every time you receive a new due diligence document, review it and compare it with the previous version. Have things improved or worsened? Did the vendor have good marks or bad? These reviews will help you decide if you should reevaluate the translated risk you previously determined.
Why do I need this information?
You need this information so you are aware of the risks you face. If there is a lot of risk, that is okay; you may have a high risk-tolerance. What is not okay is taking on unknown risk. When you know about your vendors' risk and control management, you are more capable of determining whether the vendor is the right fit for you, and if you should continue in the relationship or end it. This is your vendor risk management.
How thorough should I be to achieve accuracy?
At the end of the day, all ratings are subjective. Yes, even after several advanced calculations and reviews. If you like your vendor, you are more likely to say the risk is low instead of medium and you will be able to come up with plenty of reasons to justify the rating. If you dislike a vendor, you are more likely to say the risk is medium instead of low, even with the exact same vendor. You still could come up with reasons to justify your position. Questions and review categories will not eliminate this. All questions and categories have been created by humans and all humans are biased, be that you or someone else. With this in mind, you need to find a balance between rating based on gut feelings, which are often quite accurate, and rating based on predetermined calculation systems.
How do I find this "balance?"
Finding balance has a lot to do with your personal learning style. I have a habit of saying, "They see the world differently," to explain why people manage information in a different way. Some of us are narrative, whereas others are task oriented. There is not a right way; you just have to find your way. So, focus on the goal. Be aware of what risk applies to you. If you can do this with some simple risk categories and ratings, great. If you need a list of specific questions to help guide you, that's great too. Keep in mind, tools like questions and categories are simply a means to an end. Ratings are not risk assessments. You must continually work towards understanding and improvement. Your resulting risk management program, and your Board of Directors, will thank you for it.
Leticia Saiid is a Security+ certified Tandem Software Support specialist for CoNetrix. CoNetrix offers a variety of security and technology services including computer network design, penetration testing, and the Tandem Information Security software suite. Visit our website at www.CoNetrix.com or email info@CoNetrix.com to learn more about their Vendor Management products and services.