Security Risk Assessment
Averting or successfully responding to any type of security threat requires having the right business security measures in place. Determining and prioritizing those measures is the objective of a security risk assessment. The remainder of this article is intended to provide some helpful insights in that regard.
This article is not a tutorial on performing risk assessments or designing security programs. Its purpose is to identify and present references providing guidance in establishing a risk-based security program, and to provide an example of using business language for risk descriptions. Business language facilitates management’s understanding and helps collaboration with business unit managers around risk treatment planning and related security initiatives.
A risk-based security program directs spending and attention where it is needed most, resulting in stronger security. It aligns the people, process and technology of security with business priorities, according to the potential damage of various threat factors. In a risk-based program, security managers work with business managers to identify the biggest threats to business operations and to set priorities for security investments. A cost-benefit analysis is used to ensure that an appropriate security budget is established and spent wisely. A proven approach is outlined in the 22-page General Security Risk Assessment Guideline, available for download as shown in the “Security Program Guidelines” sidebar below.
The key elements of the risk assessment process presented in the ASIS General Security Risk Assessment Guideline are as follows:
• Understand your organization and identify the people and assets at risk.
• Specify loss risk events/vulnerabilities.
• Establish the probability of loss risk and frequency of events.
• Determine the impact of the events.
• Develop options to mitigate risks.
• Study the feasibility of implementation of options.
• Perform a cost-benefit analysis.
The guideline then calls for ongoing reassessment of risks.
ISO 27001-2005, a guideline standard for establishing an Information Security Management System, specifies additional steps:
• Select objectives and controls for the treatment of risks.
• Obtain management approval of the proposed residual risks (the risks remaining after the security controls are put into place).
• Obtain management authorization to implement and operate the proposed security management system.
• Prepare a summary of decisions concerning risk treatment: What is implemented now, why specific additional controls were selected for implementation, and why specific controls were excluded from consideration.
• Formulate a risk treatment plan.
• Implement the plan via the security management system.
• Review risks at planned intervals, and review changes to the organization, technology and business objectives and processes.
Both guidelines go well together, and the security management system approach outlined in ISO 27001-2005 can also be used for physical and corporate security.
From Start to Finish
“Risk Analysis and the Security Survey,” by James F. Broder, CPP, is the classic reference on performing a complete risk analysis, and has been recently updated and expanded for its third edition. The book’s chapters cover each step of performing a business security risk analysis, and provide example letters, proposals and reports plus guidance on the use of a security consultant. The book’s appendices contain additional valuable material including:
• Security Survey Work Sheets;
• Danger Signs of Fraud, Embezzlement and Employee Theft;
• Professional Practices for Business Continuity Planners;
• Sample Kidnapping and Ransom Contingency Plan;
• Communicating with the Media; and
• Security Systems Specifications.
This book is part of the required study material for the ASIS Certified Protection Professional (CPP) and Physical Security Professional (PSP) certifications.
Documenting Risk Treatment Plan Details
Guidance for documenting the details of a risk treatment plan can be found in the book “Physical Security for IT,” by Michael Erbschloe. Chapter 3 explains how to integrate the physical security plan for IT with other security plans, such as:
• Cyber security planning;
• Disaster recovery planning;
• Business continuity planning;
• Organization risk management and insurance planning; and
• Incident response team planning and development.
Such integration is an important, but often overlooked element. For each of the plans listed above, Chapter 3 provides specific recommendations on how to map priorities between those plans and the physical security planning.