Prerequisite: Experience in Risk Management Process
1. Identification and Analysis
>establish the context
*understand the business and its processes
From that, we can know which and how the information can become useful when other competitors can get it
>establish the security goals or success criteria (depending on each company)
*what the critical aspects of the business
Companies working in different fields have different critical information so they require different approaches ensure the protection for information assets
*to what extent they need to be protected
>identify possible threats
*what can happen that makes information leak
*what if questions
*brainstorming and so on
>determine the causes
*what leads to the threat
*is there only one reason or a combination of many things
>analyse the threats:
*based on the causes, establish the relationship between the threats and the current context, i.e. how it is linked to the customers, outside competitors and other entities in the current context
*specify the likelihood of the threats. How likely for the threats to become true? And how frequently it can happen
*determine the possible impacts according to 1) time, political and financial 2) CIA: confidentiality, integrity and availability
*determine the changes of the possible impact in certain durations such as 1 hour, 1 day or 1 week
*determine the triggers for the threats.
What are the events or actions that can start off the threats?
>prioritize the threats
Which one is most likely to happen? Which one is less likely to happen but has a severe impact on the business
>write up user stories that record the course of actions performed by users.
It is a good idea to write down the possible steps that can happen so it can ease discussions among people and a good starting point to estimate the impacts
>write up a document for tracking and to assist others in understanding what has been done
2. Control/Reducing the impact
>understand users’ capability
Different users have different level or capabilities so we can’t expect too much from them.
>determine appropriate controls
*Depending on the level of users’ understanding and capability, we have to choose appropriate controls.
*Balance between the costs of the controls with the impacts of threats. If the controls don’t give any better than the threats in terms of the costs, we have to think if we should go for it or not.
*Take the complexity of the controls into consideration because if their complexity is over the capability of users then users might try to get around with the controls.
>if the cost of controls is not worth considering the impacts, we might put the corresponding threats in a queue and we have to set appropriate indicators and contingency plans for them. If some events that can make the impacts far more than the indicators occur, we have to take actions.
>keep the all the protection in a consistent and appropriate manner. Don’t mess up with a lot of various controls that can lead to confusion
>collaborate with users and help them understand
Organize training classes for users to educate them, make them understand the importance of the security in place and how to operate them
*Who is responsible for tracking the threats
*How often to carry out the tracking process
*How to collect the information
*Who need to be reported to
For example, 2 people have to reassess the threats once a month. After that, they need to write up a report and give to CEO for reviews.
>determine the level of warning, or when requiring immediate actions
*Different threats have different levels and types of impacts so it’s better to set out an indicator for each threat. When some threats are over the threshold, we have to take actions immediately.
*It’s not appropriate if we set the level of impacts, for example, from 1 to 5; then we say that, for example, when the level is higher than 3, we have to take actions. The reason is different threats have different types of impacts and we cannot sometimes make them identical.
4. Report, review and improvement
>continual review and improvement
>determine the format for the reports
It’s better to have reports written in different ways because different people will have different views such as managers and CTO.
>involve appropriate people in the review process
>recheck the level of impacts for the threats
>check for new threats*check for business processes to see whether there are any changes that can lead to new threats