Develop and Conduct Threat and Risk Assessments
If you don’t assess risk, you’re accepting it.
Onsite Workshop
Lack of risk assessments or informal risk processes can result in:
- Unintentional risk acceptance.
- Poor strategic planning of mitigating controls.
- Confusion about how one project’s risk relates to another.
A formal, standardized risk assessment process leads to:
- A defensible and repeatable risk assessment model.
- Security controls designed to prevent risk associated with a particular project.
- Informed risk decisions, rather than reliance on hunches.
Module 1: Establish the Risk Environment
The Purpose
- Build the foundation needed for a security risk management program.
- Define roles and responsibilities of the risk executive.
- Define an information security risk tolerance level.
Key Benefits Achieved
- Clearly defined roles and responsibilities.
- Defined risk tolerance level.
Activities: | Outputs: | |
---|---|---|
1.1 | Define the security executive function RACI chart. |
|
1.2 | Assess your organizational risk culture. |
|
1.3 | Perform a cursory assessment of management risk culture. |
|
1.4 | Standardize impact terminology. |
|
1.5 | Define frequency or impact thresholds outside of individual risk tolerance level. |
|
1.6 | Evaluate risk scenarios to determine risk tolerance level. |
|
1.7 | Optimize the sensitivity of your screening test. |
|
1.8 | Decide on a custom weighting. |
|
1.9 | Finalize the risk tolerance level. |
|
Module 2: Conduct Threat and Risk Assessments
The Purpose
- Determine when and how to conduct threat and risk assessments (TRAs).
- Complete one or two TRAs, as time permits during the workshop.
Key Benefits Achieved
- Developed process for how to conduct threat and risk assessments.
- Deep risk analysis for one or two IT projects/initiatives, as time permits.
Activities: | Outputs: | |
---|---|---|
2.1 | Determine when to initiate a risk assessment and which project/initiative will be assessed. |
|
2.2 | Review appropriate data classification scheme. |
|
2.3 | Identify system elements and perform data discovery. |
|
2.4 | Map data types to the elements. |
|
2.5 | Identify STRIDE threats and assign rankings. |
|
2.6 | Determine risk actions taking place and assign countermeasures. |
|
2.7 | Calculate mitigated risk severity based on actions. |
|
2.8 | Review results and form risk-based decisions. |
|
Module 3: Build a Security Risk Register
The Purpose
- Collect, analyze, and aggregate all individual risks into the security risk register.
- Plan for the future of risk management.
Key Benefits Achieved
- Established risk register to provide overview of the organizational aggregate risk profile.
- Ability to communicate risk to other stakeholders as needed.
Activities: | Outputs: | |
---|---|---|
3.1 | Begin building a risk register. |
|
3.2 | Identify risks and threats that exist in the organization. |
|
3.3 | Identify which stakeholders sign off on each risk. |
|
3.4 | Review the aggregate risk level of the entire organization. |
|
3.5 | Act upon risk results, depending on the aggregate level as it relates to the risk tolerance. |
|
3.6 | If necessary, revisit risk tolerance. |
|
3.7 | Plan for the future of risk management. |
|