The maturity level of the enterprise should dictate the approach to risk aggregation control.
|Maturity level||Risk aggregation control approach|
|None or Initial||Do ad-hoc risk aggregation and interdependency mitigation when people or events bring it to the fore.|
|Repeatable||Analyze aggregated and interdependency risk for systems that have obvious business criticality.|
|Defined||Do a periodic risk aggregation and interdependency analysis and mitigate problems on a scheduled basis.|
|Managed or Optimizing||Fully integrate risk aggregation and interdependency into operations and change management practices.|
Enterprises of all sizes have historically done this, but risk aggregation is a serious problem and the root cause of many large losses and some business collapses. For an organization that is large and complex, this is simply too dangerous and represents a lack of diligence. Systematic approaches are called for when risks are nontrivial.
Analyze aggregated and interdependency risk for systems that have obvious business criticality.
This begs the question of what is obvious and to whom. A good quote comes from Virgil Gligor who, when discussing a computer security-related issue said:
Things in information protection are complex and only become obvious once you have studied then for a long time. An alternative is to get more systematic and use checklists or similar tools that cover the issues.
Do a periodic risk aggregation and interdependency analysis and mitigate problems on a scheduled basis.
Any enterprise that is large enough to warrant redundancy and in which a systematic change control process is not in place will fall into this category. If a strong and systematic change control process is used, then it will also include this coverage. Periodic review is appropriate through the audit process, but unnecessary from a security execution perspective because it is already covered in real-time by the change management process.
Fully integrate risk aggregation and interdependency into operations and change management practices.
This approach is preferred for medium and high risk environments that should be under strong change controls and thus should deal with risk aggregation issues effectively as part of their normal protection processes.
Risk aggregation and interdependency defenses are really the reason that redundancy is used, but some issues, like backups and multiple data centers are more obvious than other risk aggregation issues like localization and employee dependencies. A full scale risk aggregation analysis is reasonable and prudent for medium sized businesses and mandatory for large enterprises and public companies.
Risk aggregation should generally consider all of the interdependencies of business utility. This includes but is not limited to; people, programs, data, libraries, files, input and output, operating systems, configurations, domain name services, identity management services, back end processing and storage, protocols, platforms, networks, wires, routing, access, power, cooling, heating, air, communications, government, environment, supplies, safety, health, and facilities. Each of these aggregate risks due to multiple uses and all of those uses have to be summed in order to understand the risks associated with integrity, availability, confidentiality, use control, and accountability and the lack thereof that may result from any identifiable failure modes.