With computers at the heart of business and government, information security risk affects us all. But without identifying and evaluating the threats that could impact your operation, how will you know where to deploy finite security resources? (See footnote 1)

Next consider the inevitable tug-of-war between security and operations at a procedural level, and the fact that "total security" is unworkable. So, where to begin?

Essentially, any viable risk assessment will be unique to your own organisation. This demands a wide spectrum of input covering organisational, operational, personnel and legal aspects – not simply your network infrastructure.

Ask your departments to grade information assets by importance: include data, skills, services, processes, contracts, public relations and regulatory "musts" as well as your IT facilities. It might help to think "CIA": Confidentiality, Integrity and Availability. For each of your assets, consider how the loss or interruption of any of these would impact your business.

Any assessment should also look at weaknesses in your defences (not simply technology!) and the likelihood of the threat occurring. The next step will be to identify and prioritise controls (e.g. training, procedures, technology, physical/environmental, third-party etc.) aimed at reducing the risks. Finally, you should define acceptable levels of residual risk.

Whether you engage a consultant, employ specialist software or opt for DIY, be sure to avoid a "one size fits all" approach. And of course, schedule regular reviews so that you are never facing today's risks with yesterday's risk assessment.

_________________________________________________________________________________

¹DTI (BERR) Information Security Breaches Survey 2006: Approx. 40% of UK firms spend less than 1% of their IT budget on security. (P3, Executive Summary on http://www.berr.gov.uk/files/file28344.pdf)
 

Preview our new website

Return to e-Zine