If you’ve ever undertaken a security risk assessment (SRA) yourself, you may have wondered whether it was as comprehensive as it could have been, and if could it withstand serious scrutiny. The real acid test, as some practitioners will attest to, is whether it could stand up to serious legal scrutiny, and whether assertions are based on a well-argued basis, or whether they’re simply the opinion of the assessor.

Part of the notion of completing a defensible assessment is to first understand where the rest of the industry is at, so that a measure of the relative credibility of a proposed approach can be obtained. Good practitioners will do this and use the information to regularly improve their approaches to, and quality of their deliverables.

The challenges

One of the key challenges in knowing how a SRA compares is to be aware of where better practices can be found, and to find the time to review them regularly. There are many industry organisations dedicated to security matters, and risk assessment/management practices lie at the heart of many of them. Across the traditional security and cyber-spectrum, some that are widely recognised include:

  • Institute for Strategic Risk Management (ISRM).
  • Security Executive Council (SEC).
  • Information Systems Audit and Control Association (ISACA).
  • Security Analysis and Risk Management Association (SARMA)
  • ASIS International (ASIS).

Like any trade, a detailed understanding of its body of knowledge affords the highest likelihood of a genuinely professional outcome. In this regard there are numerous other entities, including standards bodies themselves, and abundant white papers and reputable blogs where better practices and good advice can often be found.

Further, and while there are some staple and straightforward components of SRAs, a significant degree of expertise really is usually required to put them together in a logical and meaningful fashion. Indeed, the absence of methodological rigour is a frequent casualty.

Whether it be cyber or protective security focused, a good SRA will be one that:

  • Articulates which methodology is being applied, how it works and why it is credible in the context of the assessment.
  • Tells a logical ‘story’ by providing background and sufficient context to the process being undertaken, and the drivers for it.
  • Articulates the compelling reasons as to why change is needed (much like a business case).
  • Clearly defines the assets (physical, personnel, information etc.) that require protection, and highlights the relative importance of those assets (i.e. through a criticality analysis).
  • Provides sufficient background to the various threat actors and acts that may impact those assets by way of a threat assessment.
  • Identifies the risk controls that are used to protect against those threats, and how effective each of them is at doing so (i.e. a Risk Control Effectiveness assessment).
  • Describes areas of vulnerability and risk within the organisation, consistent with the scope of the assessment.
  • Clearly articulates current risks and assigns them ratings consistent with organisational risk criteria (i.e. not criteria supplied by a third party, unless the organisation prefers an independent approach).
  • Evaluates current risk ratings to identify which exceed tolerable thresholds.
  • Identifies pragmatic and cost-beneficial risk controls that reduce the likelihood of a threat act being successful (resulting in associated risks being realised), and/or the consequence of an incident (through effective preventative, response and recovery controls).
  • Supports its recommendations through defining the benefits to the organisation, in support of its strategic and operational objectives.
  • Considers the SRA process a critically discrete and keystone element of developing a security/risk treatment plan.
  • Is monitored, reviewed and evolved/improved over time (rather than recreated periodically).

ISO 31000 and security risk methodology alignment

Condensed SRM ProcessCondensed Security Risk (Assessment and) Management Process

The diagram above shows a slightly modified version of what, at the time of writing, the Australian Government requires its Agencies and Departments to implement when conducting a SRA.

The key requirements of this methodology, and by extension a good assessment, is effectively canvassing the sub-assessment stages on the left had side, while simultaneously adhering to ISO 31000 – Risk management on the right. This approach contains elements that are incorporated within most globally accepted security risk methodologies.

The Takeouts

The production and distribution of underwhelming assessments does the organisations affected, and indeed the industry, a disservice, as stakeholders deal with periodically unsubstantiated findings and recommendations.

Every SRA represents a challenge for the assessor, and the scope and context of most requires nuance and expertise in the security risk ‘trade’ to deliver good product.

It is imperative, therefore, that those who wish for continuing credibility growth in the sector, and indeed stakeholders themselves, become more discerning in selecting suppliers, and active in demanding high standards.

All assessments should demonstrate logically arranged arguments canvassing the elements listed within this article. If not, stakeholders should feel comfortable asking why not.

Yours in security,

Konrad Buczynski
Principal, SECTARA

 

About SECTARA

SECTARA is a premier security risk assessment and management platform, ideal for both consultants and corporate security managers. There are several methods to get started:

As a valued subscriber, you will be comprehensively supported via our Ticketing System and Knowledge Base.

We look forward to seeing you on SECTARA!