Is Your Information Security Risk Assessment Worth Reading?
Bankers have a long tradition or performing risk assessments in certain areas. Some are rooted in pure business logic while some are purely bureaucratic in nature, and most have roots that cross these boundaries. In some areas, performance of documented risk assessments is an infant child of the 21st century. Information security risk assessments are one of these new children, and they are not at all like many of the traditional risk assessments. The Gramm-Leach-Bliley Act (GLBA) codified requirements triggering regulatory mandates that include very specific requirements regarding assessment of risk for information security. Oddly, this author sees great value in the GLBA assessment methodology requirements for all technology related security matters, not just those that relate directly to consumer non-public personal information.
The information security risk assessment is perhaps not unique but certainly it is in the minority of types of assessment that banker must perform. What makes it different is that traditional summarized results have absolutely no value what so ever. The GLBA regulatory requirement calls for assessment of risk for all reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information, or customer information systems. We take special note of a couple points of that verbiage, 1st and most important is the word ’threats’, 2nd is the word ‘customer’, and our thoughts on those, in reverse order are:
Customer: The regulation applies to consumer customer information and information systems. The process requirements conveniently define a solid methodology for all bank information, and security controls for all such information inherently are interdependent. There for, an assessment methodology that attempts to segregate consumer customer information and systems from all other bank and customer information and systems is doomed to failure and flawed results.
Threats: Threat is the single most important word in this article and in the information security risk assessment process. A proper assessment will identify at a minimum several hundred threats, and for moderately complex community banks, numbers in the low thousands are typical. Voluminous detail is conducive to failed thinking in results reporting. The natural tendency to boil down the results into summary statements is proper; as Directors on the Board must quickly and efficiently, absorb knowledge gained from the process. However, the most frequent failure is to average risk ratings rather than to quantify them; rendering the summary results meaningless.
The entire point of assessing information security risk is to identify specific threats with risk that exceeds the acceptable level of risk to the institution, because a single threat once exploited may enable a devastating breach of security. Averaging a high-risk threat with a low-risk threat, falsely implies that the risk overall is average, moderate, or otherwise between the high and the low. Information security is analogous to a container meant to hold a liquid. Any hole in the container should be perceived as a means by which all contents of the container may escape (or through which all contents may be tainted).
Properly boiled down results of an information security risk assessment must at the very least identify ALL specific threats whose individual assessed mitigated risk results exceed the institutions tolerance for acceptable risk. In addition the summary report should contain management recommendations to the Board on how to address and further mitigate risk to acceptable levels (or to eliminate) each threat.
Additional information summarizing the numbers of threats assessed, can be informative and useful; for example a report identifying 25 problematic threats may seem very negative, but if there were 2500 threats assessed, the true nature of the overall status is made clearer (it does not however lower the seriousness of the 25 threats). However, averaged risk numbers do not achieve the purpose of the assessment and always falsely lower representations of actual security threats that need to be addressed.
The exact details of your methodology to assess each threat can vary widely, and they can be made more detailed, and more accurate than the minimum requirements of the regulatory guidance, but the guidance standards are a reasonable starting point and they must be met. There is a great deal of time and effort required to establish a solid methodology and this investment is significant for all institutions.
BUT: If your information security risk assessment summary report to the Board contains averaged risk results, it should be changed as the report inaccurately reports risk, and the error is in an unsafe direction. If the report does not identify all specific threats exceeding an acceptable risk level (which the Board should establish), all the money and time invested in the process has been wasted.