Information Security Risk Policies
January 24, 2020 by Loren Lachapelle
Once you’ve chosen a format and have started planning your Information Security Policy (ISP) documents, you must understand and document risk – a factor that will influence how you make decisions within the organization and develop your policy to its fullest potential.
What is risk?
Risk is the potential of an undesirable or unfavorable outcome resulting from a given action, activity, and/or inaction. The motivation for “taking a risk” is a favorable outcome. “Managing risk” implies that other actions are being taken to either avoid the risk, mitigate the impact of the undesirable or unfavorable outcome, or enhance the likelihood of a positive outcome.
Inherently, risk is neither good nor bad. All human activity carries some risk although the amount varies greatly. Risk-taking can be beneficial and is often necessary for advancement, for example, taking risks as an entrepreneur. Risk-taking can, however, be detrimental when ill-considered or motivated by ideology, dysfunction, greed, or revenge. The key is to balance risk against rewards by making informed decisions and then managing the risk corresponding with organizational objectives. The process of managing risk requires organizations to assign risk-management responsibilities, establish the organizational risk appetite and tolerance, adopt a standard methodology for assessing risk, respond to risk levels, and monitor risk on an ongoing basis.
When you sit down and start writing, it’s good to know the difference between risk appetite and risk tolerance and decide on your organization’s threshold. Risk appetite is broadly defined as the amount of risk an entity is willing to accept in pursuit of its mission. Risk tolerance is how much of the undesirable outcome the risk-taker is willing to accept in exchange for the potential benefit and is specific to the target being evaluated.
Information Security Risk Assessment Policy
After you understand and have agreed upon the organization’s risk appetite and tolerance, you should conduct an internal risk assessment that includes:
- Identifying inherent risk based on relevant threats, threat sources, and related activities
- Determining the impact if the threat source was successful
- Calculating the likelihood of occurrence, taking into consideration the control environment in order to determine residual risk
An Information Security Risk Assessment Policy document should be the outcome of the initial risk assessment exercise and exists to assign responsibility and set parameters for conducting future information security risk assessments. The policy statement should include the following elements:
- The company must adopt an information security risk assessment methodology to ensure consistent, repeatable, and comparable results.
- Information security risk assessments must have a clearly defined and limited scope. Assessments with a broad scope become difficult and unwieldy in both their execution and documentation of the results.
- The Chief Information Security Officer (CISO), or equivalent in your organization, is charged with developing an information security risk assessment schedule based on the information system’s criticality and information classification level.
- In addition to scheduled assessments, information security risk assessments must be conducted prior to the implementation of any significant change in technology, process, or third-party agreement.
- The CISO and the business process owner are jointly required to respond to risk assessment results and develop risk reduction strategies and recommendations.
- Risk assessment results and recommendations must be presented to executive management.
Information Security Risk Response Policy
After you’ve done a risk assessment and made a standard policy for employees to follow, you should start working on an Information Security Risk Response Policy to help you continuously manage the risk by accepting and mitigating it as it comes.
One component of risk management is acceptance, which indicates that the organization is willing to accept the level or risk associated with a given activity or process. Generally, this means that the outcome of the risk assessment is within tolerance.
The other part of risk management is risk mitigation – the process of reducing, sharing, transferring, or avoiding risk. Risk reduction is accomplished by implementing one or more offensive or defensive controls in order to lower the residual risk. Risk transfer and risk-sharing is undertaken when organizations desire and have the means to shift risk liability and responsibility to other organizations.
Transferring risk is often accompanied by purchasing cyber liability insurance, while sharing risk shifts only a portion of risk responsibility to another organization. On the other hand, an organization may want to avoid the risk completely by taking specific actions to eliminate or significantly modify the process or activities that are the basis for the risk.
Because there are so many options when it comes to managing risk, your organization should have an Information Security Risk Response Policy to refer to, which will help define information security risk response requirements and authority. Rules of thumb for successful policy statements include:
- The initial results of all risk assessments are provided to executive management and business process owner within seven days of completion.
- Low risks can be accepted by business process owners.
- Elevated risks and severe risks (or comparable rating) must be responded to within 30 days. Response is the joint responsibility of the business process owner and the CISO. Risk reduction recommendations can include acceptance, risk mitigation, risk transfer, risk avoidance, or a combination thereof. Recommendations must be documented and include an applicable level of detail.
- Severe and elevated risks can be accepted by executive management.
- The Board of Directors must be informed of accepted severe risk. At their discretion, they can choose to overrule acceptance.
Understanding, assessing, and managing the risk that your organization faces daily – along with related information policy – are the basis of a successful information security program. Get started on your risk policies today!
Note: This article is an excerpt from Security Program and Policies: Principles and Practices (2nd Edition) by Sari Greene, founder of Sage Data Security, now part of Tyler Technologies, Inc. as Tyler Cybersecurity.