Home » Posts tagged 'Reporting'
Tag Archives: Reporting
Risk Registers
Something like this always appears on a Security Risk Register from the IT department:
“High Risk: The USB ports on the Servers are not locked down.”
And the security team in the IT Department sit and shake their heads and wonder why The Business doesn’t seem to understand how important IT security is. They’ve said it there: High Risk. Probably in an Excel Spreadsheet cell with a bright red background.
This isn’t a Risk to the Business. Something like “A journalist could obtain our list of sensitive clients, which would be extremely embarrassing and lead to loss of our client base and thus income” is a Business Risk. There is an understandable Threat (A Journalist) a target (List of Sensitive Clients), there is an outcome that threat succeeding they can understand (Loss of Clients leading to a loss of business), and you can understand how keen and capable that threat source is (can Journalist hack? can they persuade someone to give them information? How interested are they likely to be?) and that gives you a measure of how probable it is that that Risk will be realised and become an issue.
Now you have a realistic risk the Business can understand, and importantly might want to do something about. Then you can look at what you could do to Control that Risk. In this case, that could be such things as “Check employee backgrounds when we recruit them to jobs with access to the List of Sensitive Clients”, “Educate Users not to plug strange USB devices into computers”, may be even: “Lock the USB ports”.
Then “the USB ports aren’t locked” becomes a Risk Control that is not currently effective, meaning that the Business Risk of “A journalist obtaining our Sensitive Client List” isn’t being controlled to the full expectation of the business. There are still other good controls, such as employees knowing not to plug stuff in, but there is a chink in the armour. Then you can now tell a story that the business will understand, and they might well want to act on it. That one Control may actually be used to mitigate a whole range of Business Risks, in which case it not being effective would be a larger concern.
Of course, you could just fill the USB Ports with a two part epoxy…
