Defining risk controls that actually work

Previously, we looked at practical ideas for conducting the complex information security risk assessments that all enterprises should regularly perform. The right methodology will guide identifying the threats and vulnerabilities to which an organization is subject. Once that is done, it’s time to reinforce the right controls to mitigate them.

While it may seem counter-intuitive, the most important first step is to evaluate your control environment independent of the risk assessment process itself. This can be challenging when your mind is set to assessing risk. But starting by instituting controls against a particular type of threat that may be pinpointed in the risk assessment, for instance ransomware, will produce an unwieldy volume of controls when factored against the multitude of risks that may be identified.

It’s better to separate these tasks and start from the perspective of maintaining a healthy baseline of controls to mitigate the risk of multiple threats. Once you have that, you can plug your control inventory into your risk assessment process. Do make sure you’ve already chosen your control framework to prevent reinventing the wheel and to optimize and reinforce the controls you need.

Peeling the layers

A layered approach to the design of each control will dissect existing controls and find the potential gaps in them. Let’s consider the key elements of a standard control:

Policy. Start with the most basic question—do you have a policy in place? Is your policy published and known to all employees and users? Is the policy reviewed periodically for changes and updates?

Procedure. Do you have a documented procedure to implement your policy? Is your procedure realistic and achievable? Is your procedure commensurate with the size and complexity of your organization?

People. The next step is to look at people controls. Who you have assigned as the owner of the control? Who is responsible for maintaining applicable technology? Does that person have a team that can keep up with this need? Do they have the capabilities to maintain the control? Can they help the broader organization understand the criticality of the control? Do they receive applicable training, and in turn train users? Do they enforce the policy and procedure, and periodically evaluate it to determine if adjustments are necessary?

Technology. Do you have a system you use to keep up with the requirements of the control? Have you automated processes as much as you feasibly can? Do you have monitoring and logging capabilities?

Validation. Once you have a control in place, do you have internal auditing procedures in place to verify it? Or do you have a compliance team to conduct direct reviews? Do you review your control periodically? It’s very important to conduct a periodic validation to ensure that the control is operating as originally designed.

Peeling back these five layers will tell you the health level of each control regarding its ability to mitigate risk.

In addition, the more complex and stringent the control, the more costly its level of effort. For example, examining user access control in the context of Sarbanes-Oxley (SOX) requirements will involve looking at system administrators and users who can modify the data. But when conducting a HIPAA risk assessment, the HIPAA security rule requires looking at every single user who has access, including those who can only read, but not modify, data.

A practical solution is to apply different levels of compliance to each control based on the requirement. So, as an example, a level 1 user access review control for Personally Identifiable Information would have less stringent requirements than a level 2, which could be related to SOX, or a level 3 related to Protected Health Information for HIPAA. Associating levels of compliance to each control would provide a more standardized view of the controls applied across the organization, and make sure that each is applied based on its objectives and scope.

Ready for risk assessment

Next it’s time to finalize the risk assessment process. The inherent challenge is always to fully determine how the nature of a control is connected to the greater risk assessment scope. To that end, an organization would need to examine each control in the context of applicable regulations in the scope of the assessment, to make sure it is meeting the minimum risk mitigation requirements.

In addition, while some companies may opt to perform assessments at some of the specific regulation level (e.g., SOX, GDPR, HIPAA and the like), more established organizations may pursue a top-level approach that encompasses all applicable regulations at a higher level, which may support the information security budgeting process and confirm it is properly allocated to the higher risk areas.

This is especially helpful for organizations that have segmented information security operations, such as geographically dispersed CISOs. Any deviations on infosec program execution could be identified throughout the risk assessment, providing a standardized risk view across all segments.

While some may look at risk assessments as a burden, don’t overlook their importance and value. Even though it might be a legal requirement, it’s also an opportunity to benefit your organization by improving processes while lowering risk.

Security groups can seize this opportunity, not as a way to assign blame or highlight anyone’s shortcomings, but to really examine how the assessment can help the organization improve. Doing so also creates an excellent opportunity to identify and request additional budget and resources if needed, or to confirm that resources are correctly aligned with tolerable risk profile. When executed in the right spirit, this exercise is a value-add for the organization, reducing your risk and improving your overall information security posture.

Don't miss