In this video, Kip Boyle discusses strategies to determine top risks. Learn how to generate ideas to manage an organization's top risks in an information security program.
- [Instructor] You know your top risks, so let's talk about how to manage them down to an acceptable level. Your main work flow consists of reviewing your top risks one at a time. You want to figure out the reason for the gap which will then allow you to figure out how to close it. If you group controls for reporting purposes, then each gap will have multiple controls that you can examine to gain deeper insight. Here's an example based on an actual risk assessment we did using the NIST cybersecurity framework.
Of course I've changed the name of the organization. You can see the top five risks as determined by gap size in the far right hand column, but we can't manage risk yet because the numbers don't tell the whole story. You have to dig into each area separately to find out why there's a gap. Let's start with the number one risk, recovery improvements. This activity is defined as recovery planning and processes are improved by incorporating lessons learned into future activities.
Looking a little deeper, we can see that there are two controls in this activity. RC.IM-1, recovery plans incorporate lessons learned, and RC.IM-2, recovery strategies are updated. Looking at the detailed scoring data, both of these controls scored low. IM-1 has an average score of one, and IM-2 has an average score of two. To learn why these controls scored so low we did a few things.
First, we opened our minds to the different major areas where the problems and solutions could be found, people, process, technology, and management. Then we asked ourselves, what does the control look like when it's operating at the target score? In this case, we would expect to see that information security incident recovery times were getting shorter as people's performance improved based on repeated experiences, so we hypothesized that improvements were needed in the process and people areas.
Next, as part of the larger analysis effort, we reviewed our notes from our interviews with the experts, and then went back and talked briefly with them to get their ideas on what the problem might be and what we could do to improve the scores. Including experts in this part of the work will give you the perspective you need, and it will help later with getting buy in from experts when you're proposing useful changes. Finally, we reflected on our own experiences working in information security recovery situations and then analyzed everything that we discovered.
We learned the company didn't conduct regular performance reviews, also called post mortems, after major information security incidents. The experts agreed that requiring such a review would reduce the risk and begin to close the gap, so we needed to make an improvement in the management area as well since we need a policy to make post mortems and action items required after every major incident. It turned out that making these changes would also help close the gap with the second top risk, response improvements.
There are two controls in that activity. RS.IM-1, response plans incorporate lessons learned, and RS.IM-2, response strategies are updated. Both these outcomes had an average score below a five, and if we adopted the same changes for recovery, then we believed we would get much closer to our target score. After reviewing all your top risks in this way, you will have a full list of specific suggestions for reducing those risks down to an acceptable level.
In future videos, we'll cover cost and benefit estimation and how to prepare proposals for management to review.
- Goals and components of an information security program
- Measuring and managing information risks
- Reducing risks to an acceptable level
- Using a workflow to organize your work
- Communicating progress with executives and stakeholders
- Demonstrating compliance