Please share your comments; critics make life meaningful!

Thursday, September 9, 2010

New Perspectives on Asset Based Risk Assessment

Asset based risk analysis approach does not in any way negate the specific risk assessment methodology that a specific organisation chooses/decides for itself. While the list of assets may run into millions of rows, they can mostly be grouped into asset types for the purpose of risk asessment and comprehensive risk for each asset type can be identified as per a risk assessment methodology which should be specific to an organisation.


Enterprises have often adopted different groupings of assets; the ones that I have seen practically working are service based and business process based. Basically, one documents the services offfered by the organisation (typically in case of an organisation selling goods/service to other organisations/businesses) or the business processes running in the organisation (mostly in organisations selling products/services to end customers). Then; per service/business process, identify the asset groups used and risks to them from a customised T-V list (repository of threats & vulnerabilities specific to the concerned sector & the individual organisation); with a bit of quantitative or qualitative scoring (as appropriate) workout the risk grade (High/medium/low) and you have your risk list which can be converted to a risk map for relevant target audience.


Risk based selection of controls similarly does not preclude common sense, best practices, incident learnings, client specifications etc. The customised T-V list above should capture all these elements and more. When a risk assessment exercise is done, it is not merely how CIA impact an asset directly but how the said asset is used in a service or process and how extensive/unique/customised the T-V is that brings out the risks to the specific business entity.


 
It is for the enterprise risk manager to come up with this methodology and all risk relevant functions (information security, physical security, OH&S etc etc) to conduct their risk assessments adhering to this laid down methodology.
So the asset base should be taken as a base only; with a layer of organisation specifc criterion above it to add that special customisation for a specific organisation. Thus, even within the same Industry, two organisations can have a very different risk assessment methodology with such an approach.