As information security professionals, we conduct risk assessments for companies, projects, new businesses and start-ups, etc. To complete this task, we follow guidelines from trustworthy sources, not limited to online searches, consultancies and security standards. Risk assessment formats might be different from company to company, and the methodology is usually stated in a separate document where it could be customized to the company or the project. Let’s go over clear and practical approaches to working through some of the inevitable challenges that may arise in assessing risk.
A crucial document is the Risk Treatment Plan, which should contain the mitigation action for the identified risks. As a practice, most of us will have a new control in place or a current control can be updated to reduce the risk to an acceptable level. There are also situations where companies accept some risks even if the risk is not lowered to an acceptable level. This could be only for specific business reasons with appropriate approvals and workarounds to control the risk.
Let’s look into a normal scenario where mitigation actions are required. When we have a bunch of controls to put in place according to our risk treatment plan, it could be challenging in the real world. For example, the control may affect other departments where approval of different authorities is required, the application of control may cost a certain downtime or disrupt some services where application should be planned accordingly, or the control may incur a significant cost. There could be many more examples than the ones I have provided here, but looking into them, we understand that it’s unlikely to be able to handle these on an ad-hoc basis. The best approach is to handle each treatment plan (each control) per risk as a project. This does not mean that we need to get a project management specialist, but rather to follow the basic project management techniques. This will help us to track and implement controls in a structured manner, which also could be presented to management as a summary.
I prefer to explain this with an example – for instance, a risk treatment plan regarding the implementation of data classification controls within the company. How could we treat this requirement via a project management approach? Please note, the below approach is not strictly following the project management principles, but the key techniques are used, and customized, for our requirement.
First, it is required to identify the requirement clearly (the final outcome). For this instance, let’s say that company data needs to be classified and the data should be monitored and controlled according to the defined classification. Since this is a wide scope, we need to break it into phases and decide on milestones. Further, each phase should have multiple tasks to achieve the milestone.We call this a WBS (work breakdown structure). We got the main tasks and the sub-tasks defined along with an estimated time taken to complete each task. Also, if there is a cost and if there are dependencies involved for the task, they should be flagged as well.
|
Current Risk – High Potential Risk After Implementation – Low |
|||||
|
Task |
Duration |
Start Date |
End Date |
Cost |
Dependencies |
|
01 - Identify Company Data |
17 Days |
11-06-2020 |
01-07-2020 |
XX |
Task 2.4 |
|
1.1 - Identify HR Dept Data |
7 Days |
11-06-2020 |
22-06-2020 |
XX |
Task 2.4 |
|
1.2 - Identify Finance Dept Data |
10 Days |
18-06-2020 |
01-07-2020 |
N/A |
N/A |
|
02 - Classification approval on Identified Data |
|||||
*Note: these are examples, not actual tasks for the project.
It will look like the above table, and once this is entirely populated with proper data, you can calculate the effort (cost and time) required for the project. It is also important to know that the WBS is always updating and changing according to the latest update of the project. For example, if some tasks are not carried out on time, a rescheduling should take place, which should be reflected in the WBS.
However, in the initial stage, the potential tasks and estimated time and costs that are populated will provide a reasonable overview of the project, allowing management to make the needed decisions, such as approving the projected effort to mitigate the current risk.
Following this method, we will have a table for each mitigation control provided in the risk treatment plan. We can use these plans in many ways to benefit us. Reports/charts can be made with the overall effort for all control implementation with a time and cost projection, which could be a very useful tool for the management, so management can plan budgets and resources for the risk mitigation requirement.
Further, we could use a similar technique for any other information security-related project or initiation. I hope this helps you to carry out tasks, projects and goals within your departments with a more clear and practical approach, as well as minimize the cost and effort for external project management consultancy.