In the last couple of weeks, we've been talking in this space about the seven steps to building a risk management framework for information, starting with the first step of identifying information that needs to be protected and then going on to the second step, which is determining where that information exists inside your organization and its extended ecosystem, and how much information there is. Once you know those two things, you can move on to step three, which we'll discuss in this post. In this step, you assess the inherent risk associated with the information you've identified, so that you have a meaningful measure of information risk around which to build your framework for risk management.
It's important to understand that any information you categorize as "important information" carries with it some inherent level of business risk. However, the degree of risk will vary depending on the nature of the information, especially as it relates to how much potential damage to the business would result from the threat of the information being lost, stolen, altered or made inaccessible. Here's one example of a simple formula you can apply to calculate inherent risk associated with a business process, IT asset, or a third party handling or storing information that needs to be protected:
Inherent Risk = (Criticality of Information x Number of Records)
X Impact per Record Associated with each Type of Threat
To determine the impact per record, you can look to public sources such as survey results that posit a cost per record associated with a breach of various record types. For some types of records, such as intellectual property, there won't be public information. Then you have to come up with the value on your own. What would the damage be to your organization if its "secret sauce" was lost, stolen, altered, destroyed, or made inaccessible? Determining that value is a good place to engage senior management and your organization's board; they'll begin to understand your technical problem in terms they worry about every day. When assessing risk, it's fine to use qualitative measures of value, as long as everyone agrees on them. For example, if your organization has zero tolerance for ending up on the front page of the Wall Street Journal or the local newspaper, that is a critical level of risk regardless of the monetary cost associated with it.
In the end, you'll have developed a rating scale that the whole organization can use—the business, technology and information security, and internal audit. This way, when anyone raises an issue, you depict it on a scale and prioritize it the same way in terms everyone understands. Here are a few examples of types of information that can influence information criticality:
- Employee information
- Regulated and contractually protected customer information
- Intellectual property and trade secrets
- Market strategies, merger and acquisition information, new product information
- Industrial control systems
In calculating inherent risk, it's important to take into account the larger picture of inherent risk of the processes, third parties and IT infrastructure that are related to important information. It's also important to be able to:
- Incorporate monetary values into the formula for calculating inherent risk (if they are available, and if they are applicable to the type of information)
- Balance monetary and qualitative considerations in your assessment of inherent risk
- Create a scale that ranks risk from low to critical based on the potential for financial loss and agreed-upon qualitative measures
Successfully calculating inherent risk enables you to understand where the greatest information risk is located within your organization and your extended ecosystem, where it makes the most sense to invest human and capital resources to address information risk, where technical and organizational risk treatments need to be applied on a prioritized basis, and what the worst-case impact to the organization would be in the event of lost, stolen, altered, or inaccessible information. You can also get an understanding of whether non-public business information is more important than customer information or intellectual property, and where your greatest inherent exposure resides. All of this level of detail is useful in planning and responding to information security incidents. If an incident occurs, you can quickly see the connection points within your infrastructure, empowering you to make quicker and more informed decisions to respond.
To put this discussion of inherent risk in broader context, download Build a GRC Framework for Business Risk Management. This summary of RSA's seven-step methodology for creating a risk management framework for information provides an overview of the steps in the framework, from identifying and locating important information all the way through documenting controls and reporting on risk.