:: Security Risk Assessment ::
The Benefits of: Security Risk Analysis
Cost Justification
Additional security almost always involves additional expense.
As this does not directly generate income, it should always
be justified in financial terms. The Risk Analysis process
should directly and automatically generate such justification
for security recommendations in business terms.
Productivity: Audit/Review Savings
A Risk Analysis programme should enhance the productivity
of the security or audit team. By creating a review structure,
formalising a review, pooling security knowledge in the system's
"knowledge base" and utilising "self-analysis"
features, much more productive use of time is possible. The
ability to 'build-in' expertise should also alleviate the
need for expensive external security consultants.
Breaking Barriers - Business Relationships
Security should be addressed at both business management and
IT staff. Business management are responsible for decisions
relating to the security risk/level that the enterprise is
willing to accept at a given time (which involves consideration
of potential business impact). IT management are responsible
for decisions relating to specific controls and application.
Risk Analysis should not only direct appropriate information
at each group, but play a major and pro-active role in enhancing
the understanding of the needs and role of the other. It should
bring the two groups closer together.
Risk Analysis should relate security directly to business
issues.
Self-Analysis
The Risk Assessment system should be simple enough to enable
its use without necessitating particular security knowledge,
or indeed, IT expertise. This approach enables security to
be driven into more areas and to become more devolved. It
enables security to become part of the enterprises culture,
allowing business unit management to take more of the responsibility
for ensuring an adequate and appropriate level of security.
Security Awareness
The widescale application of a risk assessment programme,
by actively involving a range of, and greater number of, staff,
will place security on the agenda for discussion and increase
security awareness within the enterprise.
Targeting Of Security
Security should be properly targeted, and directly related
to potential impacts, threats, and existing vulnerabilities.
Failure to achieve this could result in excessive or unnecessary
expenditure. Risk Analysis promotes far better targeting and
facilitates related decisions.
This not only applies to which areas of a particular system
resources should be directed to, but which business systems.
Through the application of Risk Analysis across multiple business
unit, it is possible to quickly establish the areas of greatest
risk to the enterprise as a whole.
'Baseline' Security and Policy
Many enterprises require adherence to certain 'baseline' standards.
This could be for a variety of reasons, such as legislation
(eg: Data Protection Act), enterprise policy, regulatory controls,
etc. The Risk Analysis methodology should support such requirements
and enable rapid identification of any failings.
Consistency
A major benefit of the application of Risk Analysis is that
it brings a consistent and objective approach to all security
reviews. This not only applies across different applications,
but different types of business system.
It should also embrace those systems not under the direct
control of IT management....paper based systems, PC Systems,
or systems utilising other office equipment.
Communication
By obtaining information from different parts of a business
unit, a Risk Assessment aids communication and facilitates
decision making.
There are also a number of other important, but less tangible,
benefits to be accrued via the application of Risk Analysis.
|
