Cyber Security Risk Management Services
Worldwide-Privacy information security consultants work with businesses to develop a risk management strategy and an effective IT risk management program. One of the first and key steps to any information security management system and program is to assess, categorize, rate and catalog risks and use the findings from the assessment to drive information security projects and budgets.
Worldwide-Privacy offers the following Risk Management Services:
- Risk Assessment
- Risk Treatment
- Risk Program Management
Risk Assessment
Service Definition: The overall process of risk identification, analysis, evaluation and rating.
Goal: Identification of information security risks to ensure that they are mitigated, transferred, accepted or avoided.
Deliverable: A formal report containing an explanation of the process, findings gathered, recommendations for risk mitigation projects and a risk register containing all identified risks rated according to your business size, model and risk appetite.
Assessing risk begins with understanding your business. What is the business model? Retail? Manufacturing? Software as a service (SaaS)? There are several key questions that must be answered before beginning the risk assessment because as risks are uncovered they must be rated (often in terms of high, medium and low) and understanding the “risk appetite” or “risk tolerance” of your business is a key determinant in the rating of each risk. Not every risk uncovered will be rated the same across every business model. Asking the right questions, listening, gathering information and documenting is a critical success factor and Worldwide-Privacy’s experienced consultants work to understand your business – first.
While we suggest that a risk assessment be done for all of IT, assessments can be targeted at specific departments, systems or specific system components. For example a risk assessment may be targeted at technology infrastructure including on-prem and cloud servers and other components. It is important to eventually broaden the scope of the IT risk assessment to include infrastructure, operations / DevOps, application development, vendor and 3rd party management, quality assurance, internal IT (PCs, WiFi, internal networks, IAM, etc.) and all other aspects of IT.
Risk Treatment
Service Definition: The process of selecting and implementing measures to “treat” or address risk. Risk treatment measures include:
- Risk acceptance – knowingly accepting risks, providing they clearly satisfy the organization’s policy and criteria for risk acceptance and risk appetite;
- Risk mitigation – Implementing controls or other measures to reduce the risks to an acceptable level;
- Risk avoidance – Ceasing the activity (e.g. business process) causing the risk;
- Risk transference – Moving risks to other parties. One example is to obtain insurance to transfer monetary loss away from the company.
A risk can also be exploited to the benefit of the company, and this type of treatment typically comes from taking on risk as a strategic decision.
Goal: A defined set of actions or projects covering the risks an organization must address within a short to medium time period.
Deliverable: A report containing the risks identified for treatment and action or project description and timeline for each risk identified for treatment. Along with the report your information security and IT staff gain deep knowledge of the prioritized risks, the treatment plan and how to evaluate risks for treatment options, led by our cyber-security risk experts.
Risk Program Management
Service Definition: Worldwide-Privacy will work with your team to develop an effective risk management program, which is an important part of building an information security program.
Goal: The creation and implementation of an overall IT risk management program
Deliverable: Risk program management service contains both risk assessment and risk treatment services and their respective deliverable plus the overall program charter and operational run books or standard operating procedures needed for ongoing risk management operations.
There are several risk management frameworks that will be considered once an initial business evaluation has been completed. Worldwide-Privacy takes the important step of understanding your business as a driver toward selection of the framework to be used to manage information security risk. Not all frameworks are appropriate for all business sizes and models.
Listed below are some of the known risk management and risk assessment methods:
- Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
- Factor Analysis of Information Risk (FAIR)
- National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF)
- Threat Agent Risk Assessment (TARA)
- https://www.nist.gov/cyberframework/small-and-medium-business-resources
After selecting a framework, controls should be selected based on several key factors learned during the initial business analysis. Not all controls are are necessary or appropriate for every business size and model and it is important to focus on the controls that will find and reduce risks to an acceptable level. Some of the factors taken into consideration are:
- Business model and size
- Federal, state, and local statutes and other regulations (e.g. GDPR)
- Company goals and objectives
- Company operational requirements and constraints