Risk Management: Risk management process: What risk assessment processes are used?
Options:Option 1: Do minimal due diligence only.
Option 2: Do probabilistic risk analysis or use covering approaches.
Option 3: Do lightweight initial and periodic reassessments.
Option 4: Do a protection posture assessment.
Option 5: Use expert facilitated analysis or an augmented protection posture assessment.
Option 6: Use scenario-based analysis.
Option 7: Use systems analysis.
Basis:Use a minimal due diligence approach: For the low risk end of the spectrum, where most day-to-day users tend to work, due diligence approaches and vulnerability testing are adequate to the risk assessment process. Diligence with respect to not becoming a hazard is required for any system, and vulnerability testing is a good way to get a handle on easily repaired problems. These are inexpensive and reasonable things to do in most cases. Common operating environments are often used to save on costs of operation and maintenance. At this end of the risk spectrum, it is easy to accept risks. As long as there isn't any really serious consequence associated with failures in these systems, they should be optimized for life cycle cost and business efficiency.
Use probabilistic risk assessment or covering approaches: As risks increase, more demands are made on systems to assure the utility of content. For medium risk situations, many things are different. Sound change control and accreditation processes are necessary, configurations should be closely managed, and infrastructure supporting the application should fall under closer scrutiny and management. Probabilistic risk analysis may be used for natural threats, and covering approaches for low threat, medium consequences is also reasonable.
Do lightweight initial and periodic reassessments: Lightweight initial and periodic assessments provide a way to achieve many of the objectives of a protection posture assessment at far lower initial cost. The notion is that, for situations that are likely to change rapidly over time, the cost and delay involved in more in-depth processes is not as good a tradeoff as a series of smaller and faster assessments. This is particularly useful in situations where a protection program is being started up or over the period of a major change. These assessments typically only deal with as-is and future state and don't include gap analysis or transition planning. They are normally done every 3-6 months for the duration of the major changes or until the start-up program becomes mature enough for a more thorough process. If an independent audit process is used to verify factual accuracy of assessments, low risk should reassess annually, and medium risk every 6-9 months.
Use protection posture assessments or expert facilitated analysis: Protection posture assessments and expert facilitated analysis are more suitable as the threats increase. While periodic oversight is acceptable at low threat levels, management must keep tighter reins and review at a higher rate for higher consequence systems or systems under more severe threats.
Use scenario-based analysis or systems analysis: When risks reach into the high end, systemic change management comes into play with system-wide testing associated with every significant change. Management rates increase until individual managers are in real-time control over the highest risk systems. Scenario-based analysis becomes increasingly important and, eventually at the highest risk levels, systems analysis becomes necessary. When risks reach into the high end, systemic change management comes into play with system-wide testing associated with every significant change. Management rates increase until individual managers are in real-time control over the highest risk systems. Scenario-based analysis becomes increasingly important and, eventually at the highest risk levels, systems analysis becomes necessary.
Risk management is the core process underlying reasonable and prudent decisions about information protection. In order to make prudent decisions, a risk management process must be put in place. The question is, what process?