What Is Risk Analysis
What is risk analysis?
The short answer is a risk analysis is an assessment of potential risks and vulnerabilities of protected or sensitive data, and at a minimum it should include a review of all applicable regulatory requirements for your organization. Part of the review includes documenting your organization’s status for regulatory requirements and internally identified vulnerabilities. Generally, one could argue a risk assessment is a straightforward endeavor.
In practice, I have seen emotions take over and undermine the larger picture, of which risk analysis is only a part of. That’s why I have a long answer. As a precaution, I am not recommending an organization ignore critical vulnerabilities, and no statements on this website should be taken as legal advice. With the formalities out of the way, generally your organization should not be worried about what the final report on a risk analysis says. You will find vulnerabilities, and new risks will arise. Some years your risk analysis will seem like it takes a step back.
DO NOT FIX what you find during the process of your risk analysis in an attempt to improve the overall outlook on your final reporting. Fix urgent concerns that need to be fixed, but include those items on the report, and add them to any remediation or risk management plan. If you’ve already fixed the problem, document that on the risk management plan.
My advice is geared towards two major groups: information technology staff and directors or officers. If you’re in either of these groups, you should want to know what gaps you have in your security. Good or bad, accuracy is important. Technicians, it looks good when you jump right into solving problems, which I applaud, but it looks better when you follow processes and maintain documentation and proper change management. For the C-level who might be reading this, you should also welcome bad reports, because you know your systems aren’t perfect, and a good report that hides vulnerabilities might not have any accountability and may never get resolved.
Let me share my experience with risk assessments. I have had great assessments, even an assessment that met 100% of all required controls. However, for every identified risk or vulnerability, I document the finding in a risk management plan where it was assigned a responsible party and addressed. When organizations find new gaps, assigning responsibility and accountability for fixing problems offers consistency and provides key stakeholders an opportunity to prioritize the issues.
The worst thing that could happen is your organization repeatedly documents a problem and never fixes it, so maybe that might be the concern. However, for organizations that take action on known issues, the next worse thing that could happen is not documenting the problem at all in an attempt to hide it, which then leads to a breach, which might lead to fines. As hard as it may be emotionally to include a serious gap on a risk analysis, do yourself a favor, and document your findings truthfully and as is, because it looks fantastic when you document progress on your remediation efforts.