Why are people INTIMIDATED by risk assessments? Is it because they seem overwhelming with their arrays of lists and categories? (At last count – I categorized over 1.572 million combinations of the 44 asset categories, 58 threat categories, 55 vulnerability categories, 7 loss categories and 160 control categories)!
Part of the trepidation of manager tasked with a risk assessment seems to be that they are anxious about making key assumptions and assigning importance to different areas of the business or agency. Of course, part of this is political – the risk analyst has the power to build up the importance of one part of an organization and reduce the stature of another – or EVEN AFFECT THEIR BUDGETS!!
In practice however, it seems like the exercise of doing a risk assessment affords a level of protection which is related to how many other people actually contribute to the risk assessment results. Using the compliance survey as a participatory measure takes the onus of absolute responsibility away from the manager and distributes it throughout the organization where it belongs.
Besides – how can one person know enough to do the entire risk assessment by their self? They would have to be everywhere at once – in the morning, late at night, on the weekends, and also be able to channel the work of everyone from the newest tech support person to the director of the data center. And the inclusion of a variety of individuals adds weight and power to the risk assessment.
While the analysts may be accountable for the report of potential risk, the responsibility for any action that needs to be taken is up at the C level, or with the Board. In fact, in the FFIEC IT Handbook, they spell out, “The Board is responsible for holding senior management accountable”. Often we have found that the actual President of a bank or credit union doesn’t always KNOW that he is going to be held responsible – this information is down another level in the organization.
The analyst should not be afraid of making assumptions in the risk assessment; auditors make assumptions all the time. One could say that the world runs on assumptions. So making an assumption about how long it would take to replace the personnel or web applications of a specific part of the organization is not too difficult. Always remember that each component of the risk assessment can be vetted before with relevant management so that senior management does take the responsibility for validating the choices the analyst makes.
Personally, I advocate getting management to sign off, in writing, on the assumptions they accept, in the course of completing the risk assessment – and of course, on the final reports. There’s nothing like a signature on piece of paper to foster a climate of accountability.
Caroline R. Hamilton is the Founder of RiskWatch, Inc., the original top-rated risk assessment software. Hamilton served on the NIST Model-Builder’s Workshop on Risk Management from 1988-1995 and on the National Security Agency’s Network Rating Workshop. In addition, she was a member of the U.S. Department of Defense’s Defensive Information Warfare Risk Management Model and has worked on a variety of risk assessment and risk management groups, including the ASIS Information Technology Security Council and the IBM Data Governance Council, created by Steven Adler. Hamilton also received the Maritime Security Council’s Distinguished Service Award and has written for a variety of books and magazines including the CSI Alert, the Computer Security Journal, the ISSA Newsletter, The HIPAA Compliance Handbook, Defense News, Security & Design, Cargo Security and many other publications. Based in Annapolis, Maryland, Hamilton is a graduate of the University of California.