After having conducted a security assessment of the organization it will then become necessary to take your security assessment data and conduct a risk assessment. In conducting a risk assessment you can begin to prioritize the activities that you want to implement first, second, and so on, as you build your security program. During the risk assessment, you will want to take what you learned from the organization's leaders and ensure your prioritization serves the organization's goals so that you effectively describe your assessment and plan in business terms. Ultimately, the introduction of an information security program is one of organizational change. You want to ensure that you are presenting the changes you wish to make in organizational terms versus IT terms. This will help you to win the approval of leadership, which will provide you with the needed authority and funding to make changes to the organization.
Managing an information security program is really about risk management. Ultimately, how an organization deals with specific vulnerabilities in its IT systems, business processes, and staff has to do with its ability to manage risk. Organizational leaders are going to want to understand how vulnerabilities found in the assessment are going to impact the organization's ability to conduct business or serve their customers. Leadership will also want to understand the likelihood of a risk occurring and what the potential impact could be if this occurred.
It is important to identify the possible business impact of the risk. Each business owner will have its own risk concerns, and each business risk will be tied to a business function/dollar amount. Recommendations for fixes, mitigations, and so on, should tie into the return on investment (ROI). For example:
- A HIPPA violation could cost an organization millions, however, a solution to the risk might only cost $38,000 annually, which will mitigate the risk and lower the overall risk posture.
- If you break that $38,000 down by the number of users who have access to the data, say 11,000, you come down to $3.45 per user for minimizing the risk posture. Your return on investment is easy to argue, and gain leadership support for.
Armed with this information, you can build out a plan that describes the specific IT implementations that need to be carried out in an organization based on the assessments that were previously conducted and the risk assessment that followed. The plan contains the priorities identified in the risk assessment process.
Based on the risk assessment, you will know the following:
- What the top risks are in the organization
- What the most valuable assets are for your organization
- What risks are most likely to occur
- What the impacts will be when a risk occurs
With this information, you have everything necessary to build a well-supported evidence-based plan to move your organization forward as it changes to implement modern information security practices.