Skip to main content

What Does a Risk Assessment Do For Your Organization?

August 13, 2014

The purpose of a risk assessment is two-fold: to identify the threats that an organization faces and to help determine how to best prioritize resources to address those threats and protects its assets.

When it comes to information assets, three things are critical:
• The confidentiality of the information
• The integrity of the information
• The availability of the information

Each organization has different levels of tolerance to disruption to each of the three elements. For example, military agencies generally prioritize confidentiality and integrity over availability; they would rather have information become unavailable than run the risk of compromising confidentiality or integrity. For a publicly traded corporation, integrity and availability of Form 10-K is more important than the confidentiality, as investments are made based in part on this document.

Performing a successful risk assessment means classifying and assigning value to information assets, and determining the likelihood that they will be impacted by a vulnerability. By classifying and putting a value on each information asset, the chief information officer (CIO) and chief information security officer (CISO) can demonstrate why the asset is critical to the business, and perhaps more importantly, in what way it is critical to the business. For some assets, uninterrupted availability is critical, while keeping them confidential is not required. Assigning and addressing risk depends on understanding the value of the asset and prioritizing confidentiality, integrity and availability.

Once data has been valued, classified and risk has been assigned, the organization can begin to manage the risk. This is not a one-time activity; rather, it should be a continuous process as risk (or business focus) may change on a daily basis. Good examples of this are ever-changing regulations, either from self-regulating organizations like PCI (payment card industry), or government regulation like HIPAA (Health Insurance Portability and Accountability Act).

What happens when your organization acquires or merges with an organization in a different political, economic or physical environment? If your organization has never had offices in Florida, it is not likely that you are prepared for hurricanes and tropical storms to the extent that is required there. Similarly, there may be requirements from state or local government that you will now have to meet.

There are four general ways to address risk associated with the business: eliminate, mitigate, transfer or accept the risk. Eliminating the risk could include destroying or selling the asset if it is cost prohibitive to protect properly. Mitigating risk involves applying compensating controls to address the risk; for example, applying IPS signatures to block exposure to a new vulnerability. Insurance policies, business continuity and disaster recovery planning are all ways of transferring risk. The last one, accepting the risk, is perhaps the most direct approach: the organization simply accepts the risk and does not attempt to address it.

As information professionals, it’s our job to know what “information” in our titles means to our organizations, regardless of whether we are the CIO, CISO, or the IT analyst.  We need to know our role in protecting the information and what that information is worth to the business.

Related Blogs

July 06, 2017

Indicators of Compromise (IOCs) are Not Intelligence

When discussing the topic of cyber threat intelligence, I frequently hear questions about Indicators of Compromise (IOCs). IOCs are not intelligence b...

See Details

January 17, 2018

The Aftermath of Meltdown and Spectre: Now What?

The recent unveiling of the widely reported Meltdown and Spectre attacks, which exploit critical vulnerabilities in modern processors, sent many withi...

See Details

June 12, 2014

Common Failures of Third-Party Risk Assessments

Third-party risk analysis – whether used to evaluate partners, service providers or suppliers – is a necessity in today’s business landscape. Assessin...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

December 15, 2011

Inherent and Residual Risk: How Both Scores Drive Enterprise Risk Decisions

A commonly accepted definition of risk is: “The likelihood that a threat (or a threat agent) will exploit a given vulnerability, multiplied by the bus...

See Details

May 30, 2019

Risk Management and Transformation: Third-Party Risk Management

Learn how to plan, develop and manage your third-party risk program.

See Details

August 23, 2016

Business Driven Vendor Risk Assessment Template

The pace and level of outsourcing has continued to evolve and now includes any and all business areas and cloud services. Outsourcing decisions often ...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.