Why One Risk Assessment Isn’t Enough

by Chelsey Donohoe, M.A., Operations Specialist

Note: This post was originally a talk presented at the Texas Cyber Summit 2019 as “The Risk Management Hydra and why you need multiple assessments.”

Risk management is like a many-headed beast: one company’s risk management framework could include competitive, strategic, and operational risks; reputational, legal, and regulatory risks; cyber risks; and more! Just in the “cyber risk” arena, companies should consider factors such as privacy risks, internal threats, risks associated with data/media handling and disposal practices, supply chain cyber risks associated with third parties’ practices, software vulnerabilities, malware, hardware vulnerabilities, data center security, and physical and environmental security risks—what are the various factors that can compromise the confidentiality of our data and systems (making sure access is limited to only those who are supposed to have access), the integrity of our data and systems (making sure no one is tampering with assets), and the availability of our data and systems (making sure the data and systems are available for you to access when you need them)? These risks are managed by a combination of security controls, privacy controls, and contingency planning, including incident response planning.

Companies may choose to develop an internal risk assessment framework (or select an assessment from an external source, such as directly from a regulatory agency’s toolkit) and mistakenly believe that this sufficiently covers all aspects of cyber risk. However, this is unlikely to be the case; while there may be some overlap in the materials collected and the types of questions asked, each type of assessment will have a different defined scope, aim/purpose, and tailored set of audit protocols and outcomes to evaluate.

For example, business continuity/disaster recovery planning initiatives will typically include a Business Impact Analysis (BIA). The purpose of a BIA is to gather the information a company will need to take steps to prevent business disruptions, minimize the impact on operations should a disruption occur, and ensure the appropriate plans are in place to restore operations as efficiently as possible following a disruption. This means that the assessor will focus on questions like:

  • Which data and systems are absolutely “mission critical”? Which functions are most necessary to sustain operations and associated security controls?
  • How badly would it affect our operations, finances, and/or reputation if this asset… wasn’t available? was leaked? was tampered with or otherwise compromised?
  • What interdependencies do we need to account for; what else must be in place before we can use this asset?

The purpose of a privacy assessment, such as the Data Protection Impact Assessment (DPIA) mandated by the E.U.’s General Data Protection Regulation (GDPR), is quite different from that of the BIA. The focus is not on restoring operations but rather protecting individuals’ data privacy rights and civil liberties, asking questions like:

  • Which types of personal data are we collecting? How? Why/for what purposes?
  • From whom are we collecting and/or sharing data? Do we have the data subjects’ consent?
  • How are we processing these data?
  • Could these operations be considered “high risk”?
  • Which measures/safeguards are used to mitigate risk?

However, even with these different aims, there are still some overlaps across risk assessments, including BIAs and DPIAs: inventorying assets will be one of the initial steps, assessment methods should be reviewed and reapproved annually, and reassessments should be conducted annually and updated when operations change.

Translate »