What’s the Difference Between a Formal and Informal Risk Assessment?
Risk assessments are a way of reviewing your assets, the threats to those assets, any vulnerabilities or conditions that leave them open to those threats, and what you are doing to mitigate the risk to those assets. What comes out of that analysis ultimately is an understanding of your residual risk, or how likely is it for your assets to be harmed and what is the impact of that harm. When we’re discussing risk assessments though, it’s helpful to add some context and de-mystify some of the terms that are thrown around. Today, we’ll tackle the difference between a formal and informal risk assessment.
The Difference in Formal vs. Informal Risk Assessments
The difference between these two “types” of risk assessment is really pretty straightforward. We all make small, informal risk assessments every day of our lives. This is the time we take to consider a situation before taking an action. For example, if you’re considering diving into a pool on vacation, maybe you’re making a risk assessment of the likelihood you get injured and the impact of that injury, before actually jumping in. You aren’t writing down the depth of the pool or the cost of the hospital bills if you break your neck, you’re just thinking that risk is pretty high so you’re not going to do it.
On the flip side, when you conduct a formal risk assessment, you document everything that goes into forming an opinion about risk. A formal risk assessment is more likely to be conducted by an organization than a vacationing swimmer, but the output is still the same: an analysis of the risk of a situation that can be used to make decisions. When you formalize a risk assessment, you write down and document the entire process and the results. NIST has a published standard for risk assessments that, while long, does a great job of templating the assessment process and providing a starting point for things you should be considering.
The Key Pieces of a Risk Assessment
Overall, any risk assessment should contain the following standard sections that are customized within to fit your organization and the situation or environment you are trying to assess:
- Assets – This should describe what you are trying to protect or what holds value in the assessed environment/situation. If you are evaluating your whole organization’s risk from an information security perspective, this might include things like the data you must protect (e.g. intellectual property, patient data, credit card data) and/or your physical assets (e.g. servers, workstations, network devices).
- Threats – This section will include all the potential threats you face, including threat actors, environmental threats, etc. NIST SP 800-30 that was linked above contains some great examples of threats in an appendix.
- Vulnerabilities or Pre-Disposed Conditions – When documenting everything that goes into a risk assessment, you’ve got to consider the known security vulnerabilities associated with your organizational assets. These should be discovered through your vulnerability management/scanning process, penetration testing results, etc. But the known vulnerabilities should also be combined with pre-disposed conditions that contribute to risk, such as a system that is exposed to the Internet or a system using legacy software.
- Mitigating Controls – The current security controls you have implemented, ranging from technical to administrative, play a part in your residual risk and should be considered as part of the process. Sure, maybe you have an administrative login exposed to the Internet, but if you’ve already got multi-factor authentication enabled for all accounts that changes your risk profile.
- Risk – Taking all of the above areas, you can now start to derive a likelihood and an impact of a threat being realized. This should help your organization make decisions on where additional security controls are needed, where to direct security-related personnel/resources, etc.
The Advantages of Performing a Risk Assessment
What does all this do for you? Why would you perform a formal risk assessment for your organization? For many organizations, the unfortunate answer is they are doing it because they have to for compliance purposes, due to things like the PCI DSS HIPAA. But risk assessments can be extremely valuable to conduct and maintain as you are managing organizational risk and maturing your security program. Besides simple compliance, a risk assessment can help identify under-funded or insecure areas of your security program, help highlight risks to obtain organizational buy-in and budget, or ensure that you stay ahead of the ever-changing threat landscape as new things arise (e.g. SUNBURST).
A formal risk assessment can be performed internally or by a third-party, so contact us if you need help completing this process or just want to better understand the approach. Many times, an impartial third-party can help you better assess your risk and avoid common blind-spots or misconceptions.