Don’t risk repetition
By Tim McCreight
As an organization matures its risk management program, opportunities arise to identify controls that satisfy a number of similarly themed risks.
By Tim McCreight
The benefit of searching through a library of risk assessments becomes immediately evident when you review not only the risks, but also the recommendations and remediation plans.
Security professionals are like other busy personnel — we complete our assignments, fight the (many) organizational fires that occur on a daily basis, and assess our progress against milestones and budget requirements. Not everyone has the capacity to go through a paper or online system to identify risks from previous assessments and review the plans you put in place to remediate the risks.
Finding time to do this activity can save you countless hours of reworking solutions, and lifts your risk maturity to new levels. What may appear to be an onerous trudge through past assignments can offer new opportunities to reuse solutions for similar circumstances.
In a few of my past lives, I found some quiet time during the holiday season to review a number of risk assessments that were conducted during the year. I really wanted to ensure my team had completed the risk assessment process and that we’d documented our work activities appropriately. What I experienced instead was an epiphany of sorts — we had provided an eerily similar type of recommendation for over a half dozen risk reports. The assessments were diverse, ranging from a standard review of a commercial off the shelf (COTS) software package to a significant upgrade to an older, legacy system. The same risk theme, or concept, kept coming up from each assessment. And a similar recommendation was presented for each report. The recommendations, although accurate, where repetitious and could have been managed as one general risk remediation program.
Had I simply taken the time at the end of each assessment and thoroughly reviewed the risks and recommendations against similar assessments, I would have documented a clear pattern of remediation. Instead of starting a half dozen small projects to reduce risk, I could have created one larger initiative that would deal with these assessments, and potentially more in the future.
The lesson I learned is to never let your risk assessments end with the report to the client. Before you finish the report, create an internal process that brings the key risks and recommendations from the assignment back into the security group for another perspective. If you’ve read my articles in the past, you can use your risk register as a great starting point for this activity. If your risk assessment highlighted a similar risk you already documented in your risk register, check the remediation plan and the recommended activities to determine if they can also reduce your risk.
If the recommendations aren’t an exact match, that’s fine. Since I started this conducting this internal review a number of years ago I was able to identify higher level activities that would resolve a number of physical and logical risks that I wouldn’t have seen in the past. One great example involved launching an education and awareness campaign that focused not only on information security principles, but privacy and physical security concepts as well. Developing one training platform addressed three specific training risks, and even saved development funds. The online course and supporting materials were developed once, with input from all three teams.
Don’t wait till your next holiday break to do this — try it once a quarter!
Tim McCreight is director, advisory services at Above Security (www.abovesecurity.com).