Risk management comes in many shapes, sizes, frameworks, and implementations. The frequency of the act of performing a risk management assessment is dependent on the cost-benefit of performing the audit. Risk management is an actually simple idea with a complex methodology to achieve the goal: Quantify the vulnerabilities to your business and document the action taken against that vulnerability. This is in close relation to the idea of cost-benefit analysis, wherein all vulnerabilities are not equally likely to happen There are many tools and frameworks that exist to assist with your risk management needs. Some of the more popular ones are NIST Risk Management Framework (RMF), HITRUST, and Standardized Control Assessment (SCA). Each of these risk frameworks is a guide that will assist upper management in deciding on where to allocate resources, purchase additional insurance, or upgrade technology.
There are also two types of risk assessments:
Qualitative Risk Management
A qualitative risk assessment wherein vulnerabilities are assigned a respective value, making the assessment SUBJECTIVE. Typically, values assigned are LOW, MEDIUM, HIGH, and CRITICAL, which are assigned to a risk registry on several criteria including but not limited to the probability of occurrence, vulnerability impact, and mitigating solutions. This type of risk assessment does not include raw data valued numbers and is typically easier to perform, as relative values are assigned to various vulnerabilities.
Quantitative Risk Management
A quantitative risk assessment is an OBJECTIVE and more in-depth risk assessment where historical data and trends are analyzed, resulting in a numerical calculation of cost-benefit analysis. Risk Management project managers may determine via historical trends or current information, the relative costs of a vulnerability that may occur. Performing this type of analysis creates certain key terms explained below:
- ALE: Annualized Loss Expectancy is the annual expected financial loss to an asset resulting from one specific threat.
- SLE: Single Loss Expectancy is the expected financial loss due to the asset value (AV) multiplied by the exposure factor (EF). The SLE is coupled with Annualized Rate of Occurrence (ARO) to produce Annualized Loss Expectancy (ALE).
- ARO: Annualized Rate of Occurrence is the number of times a threat to one single asset is estimated to occur.
- EF: Exposure Factor is the probability that an event will occur and its likely magnitude, and equals the percentage of asset loss caused by the identified threat.
- VaR: Value At Risk is a statistic that quantifies the extent of possible financial losses within a firm, portfolio, or position over a specific time frame.
Shared Assessments Standardized Control Assessment
The Santa Fe Group Standardized Control Assessment is a risk management audit that can be used to plan, scope, and perform third-party risk assessments to verify entities’ congruence with the standard and highlight areas of improvement for continued viability. The standardized control assessment takes industry best practices and applies risk management techniques to suppliers, vendors, and third-party service providers in an attempt to mitigate any threats to continued business. There are currently 18 risk domains that can be scoped into an organization’s individual needs such as:
Enterprise Risk Management
Security Policy
Organizational Security
Asset and Information Management
Human Resources Security
Physical and Environmental Security
IT Operations Management
Access Control
Application Security
Cybersecurity Incident Management
Operational Resilience
Compliance and Operational Risk
Endpoint Device Security
Network Security
Privacy
Threat Management
Server Security
Cloud Hosting Services
The SCA is a qualitative risk assessment wherein the 18 risk domains are audited for policy, procedures, and processes to ensure that all areas are being addressed and appropriate information security governance is achieved. The SCA provides insight on threats that may not have previously been identified such as physical threats (energy/power requirements, ). The SCA observes major categories of risk that should be reviewed and agreed upon by management for continued operation.
Chapter 2 – Information Risk Management. In CISM Review Manual (15th ed., pp. 110–115).
Looking for a knowledgeable partner for your next audit?
MegaplanIT is an industry leader in risk management assessments designed to help your business achieve sustainable business processes and improve resiliency. We will always place your needs first by implementing industry best practices, delivering a custom assessment of the organization’s largest risk areas, and helping you effectively remediate them. Our team’s guidance, along with the SCA Report and tracking document deliverables, provides a standardized approach to collecting and reporting onsite assessment results. These assessments will assist your business in achieving sustainable business processes, making risk-based decisions, and improving cyber resilency.
We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!
