Steve Lane, PC PAL franchisee for Leicester South and Market Harborough writes:
In part one of this blog we looked at a simple method of identifying the information assets most critical to your organisation and the
impact of having them made unavailable or corrupted. Having identified the most critical assets in your organisation, how do you determine the risks they are exposed to?
Firstly, let’s look at exactly what risk is. Risk is made up of a threat, a threat agent,vulnerability and a likelihood of occurrence.
To give an analogy, what is the risk of your house being burgled? Firstly, the threat agent is the entity that will carry out the threat. In this case this is the burglar. Without the existence of a threat agent the threat cannot exist. So the burglar is the threat agent, the threat is burglary and the assets at risk are your nice flat screen TV and the laptop. What about vulnerabilities? You probably have some security controls in place to reduce vulnerabilities such as locks on windows and doors. Inevitably there are some vulnerabilities in those security controls such as having a weak lock on the front door. Based upon an objective or subjective view an assessment of the vulnerability is made. The assessment must consider all vulnerabilities as a whole. Likelihood of a burglary taking place would take into account any statistics about crime in the area and any other information available to give an assessment of likelihood of occurrence. All you are looking to do in this simplified risk assessment method is give a rating of HIGH, MEDIUM or LOW for vulnerability and likelihood. Using this information it is possible to get a view of risk:
LIKELIHOOD |
VULNERABILITY |
|||
HIGH |
MEDIUM |
LOW |
||
HIGH |
HIGH |
HIGH |
MEDIUM |
|
MEDIUM |
HIGH |
MEDIUM |
LOW |
|
LOW |
MEDIUM |
LOW |
LOW |
In other words, for example a likelihood of HIGH but a
vulnerability of LOW would lead you to conclude the risk was MEDIUM.
This would then get laid out in a table:
Threat |
Threat Agent |
Vulnerability (HIGH / MEDIUM / |
Likelihood (HIGH / MEDIUM / LOW) |
Risk Level (HIGH / MEDIUM / |
Burglary |
Burglar |
LOW |
HIGH |
MEDIUM |
If you apply this method to the most critical and valuable
assets to your company, let say for example your customer database you may end
up with a table that might look like the following:
Asset |
Owner |
Criticality / Impact |
Availability |
Threat agent |
Threat |
Risk Level (HIGH / MEDIUM / |
Controls |
Customer Database |
Sales Director |
B |
1 Hour |
Fire |
Loss of availability |
LOW |
Fire suppression systems |
Customer Database |
Sales Director |
B |
1 Hour |
Flood |
Loss of availability |
LOW |
Server on top floor |
If you take the time to do this to your most valuable assets, you gain a better understanding of the risks that your business is exposed to and the impact of those risks.
The next step is to ensure that for each risk you consider if the controls are adequate. Risks can be
mitigated, transferred, avoided or insured against. Where controls are inadequate, a program of revising those controls should be implemented unless the risks can be transferred or avoided (e.g. supplier risk by using multiple suppliers).
The final output of this exercise is to develop a business continuity and disaster recovery plan taking into account all of the risks and
all of the controls, documenting the assets and ensuring that should the worst happen there is a plan. For example, if your office was to burn down taking with it your accounts system, where would you move to? How would you recover your accounts system, and how would you ensure that your staff could continue your operation?
So now we have an imperfect but better than nothing plan. You should have a better
understanding of your business and the assets at risk. However, it does not stop there. Firstly a plan should always be tested and secondly this is a continuous process that requires iteration. Risks change (think 9/11) and your critical assets will change. Good luck!
Steve Lane (PC
PAL, South Leicester & Market Harborough)