by Mark McCullough | Technical Consultant at Taos
Most organizations understand the value of a risk assessment. It can help define how you architect and operate all of your IT resources, and even how you define your business processes. Most organizations almost never update that assessment nor do they use it effectively.
Risk assessment methodology is described in NIST SP 800-30r1. One of the most crucial points of that document is:
Yet, management, security teams and business continuity teams all too often do treat these works as never-changing guidance. Organizations often perform annual penetration tests, but never ask themselves, are the flags given to the pen tester still appropriate? Is the scope definition still an accurate representation of where your most valuable assets are?
Even seemingly unrelated changes to your business can have a large impact to your risk of an incident. When you moved from that old building to the nice new one that is lined up with the local aircraft runway, did you take into account the danger of a small aircraft crashing into your building? The risk assessment needs to be updated regularly to ensure that you are governing the organization that is, not the organization that was.
But obsolete risk assessments aren’t the only issue to worry about. In order to properly update that risk assessment, you need to understand the methodology of the old one. Were the assumptions in the risk assessment clearly outlined? Was the approach chosen and model used for the previous assessment clearly defined? Without that information, your new risk assessment is just that, a new risk assessment, not an update, not something that can be compared to the last one in order to measure your effectiveness in meeting those risks.
Understanding where improvement has been made and where improvement failed to be made can be critical for assisting management to understand residual risk, and the potential financial impact to the organization. The risk assessment already should incorporate a measure of how likely any given risk is, but that likelihood is based on a specific time frame, such as the risk of that threat occurring in the next year. As vulnerabilities remain unmitigated, even an unlikely risk becomes expected. The chance of an earthquake any given year may be low, but over many years, it must be anticipated.
Changes drive the modern technology based organization. Your risk assessment has to be updated regularly, like every other tool used.