Risk Assessment

IT Products Security Evaluation

IT Products Security Evaluation

When we buy a home, or looking for rented apartment, we provide our specifications to the real estate manager or house brokers or look into apartment specifications carefully in the advertisement. Our specifications would certainly include physical security, availability water and power. Sometimes we may also inquire about the place with other negative events and its impact such as flood and prone to earthquake etc.. In the similar way, when we procure an Information Technology related products such as Software, OS, Databases, Network devices, we need perform an assessment to validate its ability to meet our security requirements. We do not need to perform a real assessment on IT related products on our own instead, we have Common Criteria for Information Technology Security Evaluation - Certificate Authorizing Members and third party Certification Assurance agencies across the globe to provide these details to IT product consumers.

Performing risk assessment in a nutshell

performing risk assessment in a nutshell

IT enterprise security hazard assessments are performed to permit associations to survey, distinguish and alter their general security act and to empower security, operations, authoritative administration and other faculty to team up and see the whole association from an aggressor's point of view. This procedure is required to acquire hierarchical administration's dedication to designate assets and actualize the suitable security arrangements. Here are few reasons of why you need a Risk Assessment:

BCP ÔÇô Dust it off!!! ItÔÇÖs high time to revamp, rediscover and reconstruct it !!

BCP ÔÇô Dust it off!!!  ItÔÇÖs high time to revamp, rediscover and reconstruct it !!

As we all know Business Continuity Plan is something that is unique to an organization. We might have organization level or project level business continuity plan. How many of us really read the business continuity plan of our project/organization rather than keeping it as an artifact for audits?

Third party vendor risk assessment ÔÇô An ISO 27001 perspective and challenges during assessment

Third party vendor risk assessment ÔÇô An ISO 27001 perspective and challenges during assessment

The vendor risk assessment is getting significant importance in today’s cyber security world. Vendor Risk Management (VRM) is the process to ensure the organization that their vendors does not create any loss to the business in any form (like financial loss, reputation loss, data loss etc.). This article describes the challenges faced during vendor risk assessment life cycle specific to the vendors and references based on ISO 27001 standards.

Why to implement vendor risk assessment?

One of the major problem areas of enterprise risk management is risk associated with vendor. Managing huge number of vendors and any other third-party relationships is difficult for any organization.

Accommodating Challenges into Risk Assessment Process

Accommodating Challenges into Risk Assessment Process

As Confucius said “To know that we know what we know, and that we do not know what we do not know, that is true knowledge" and this is the primary objective to undertake realistic risk assessment than an uncertain one. Both risk and risk assessment are impacted by uncertainty. The intent is to assess a realistic ‘risk’ and reduce the ‘uncertainties’. Ill-informed inputs or lack of clarity, as to how to identify, analyze or evaluate risks, could potentially lead to disastrous outcome or uncertainty of meeting objectives. A frameworks like OCTAVE-Allegro, FAIR, ISO31000, ISO27005 can be used to establish accurate impacts, probabilities or strengthen risk assessment. One start point for evaluation can be to decide whether the assessment approach for dynamic systems should be quantitative or qualitative? Decision making without all necessary information for quantitative risk assessment may only increase uncertainties towards arriving at risk values.

Tackling the Challenges of Managing Third Party Risk Assessments

Tackling the Challenges of Managing Third Party Risk Assessments

Performing information security risk assessments for third parties has become recognized part of the annual compliance and risk management plan in many companies, particularly in highly-regulated industries. While conducting risk assessments is a day-to-day activity, there are several problem areas that can limit the effectiveness and meeting overall program targets.

What are some of the challenges companies face in developing or managing a third party risk management program?

1. We have thousands of third parties in our company. How do we prioritize vendor risk assessments to address the highest risks first?

Third Party Tiering Since One Size Does Not Fit All

Managing third party risk is a critical challenge facing Information Security leaders today. High-profile data breaches are reported regularly in the media. Regulators are increasing the focus on requirements for identifying and managing risk for third parties, particularly for financial services and retail corporations. In line with added scrutiny on cybersecurity and data breach practices, boards of directors are more frequently raising questions about the state of controls for critical third parties.

Establishing a third party risk management program means tackling several problems, such as the sheer number of third parties to assess. Using a disciplined approach and best practices such as third party tiering can help to reduce the problem to a more manageable size.

What is third party tiering?

Risk Assessment: How do I start?

Cyber Security

We are not discussing here, why do we need risk assessment (RA) but at times security personnel wonders how do we start with same. Instead of treating RA as an input criteria for implementing mitigation controls, we need to understand what is the objective behind this excercise.
The output of RA and subsequent treatment plan is definately some action items to reduce the likelihood of risks but how to ensure we do it in right way? Are we measuring risk impact just based on the judgement of assessor or do  we have a basis to that? If this basis is available is this aligned to project/ business goals?
Now let us think reverse, Are our project/ business goals defined? If yes, have we considered them in our RA strategy?
we need to define clear business goals and also needs to define parameters against each goal, which which will help us to assess impact on business, in case a risk materializes.This can only be done with inputs from the top management.

Subscribe to RSS - Risk Assessment