Industry guidelines and standards often strongly recommend or even require a “risk assessment” to satisfy various regulatory and compliance requirements. However, not all assessments are created equal as one entity’s assessment of risk may be another’s control evaluation.
Since risk assessment approaches can range from simple checklists and stratification (red/yellow/green) to weighted scores and probabilistic models, the FAIR Institute Cyber Risk Management Workgroup decided it was high time for some guidance on the topic.
The Workgroup has now published a summary of risk assessment expectations and guidelines from 15 regulatory and compliance entities. This compilation is intended for use by practitioners to explore where the benefits of quantification can be used to achieve stated objectives.
Author Steve Reznik is Director, Operational Risk Management at ADP
Further, while many entities now suggest quantification of risk using a consistent model or framework to improve the overall risk assessment process, one entity (PCI-DSS) specifically references FAIR as a framework to conduct a risk analysis. These recommendations may be indicative of a future movement in the direction of risk assessments fueled by FAIR.
To summarize this trend, the Workgroup analyzed guidance from the 15 leading entities against the following criteria:
- Language for risk assessment requirements
- Frequency that the risk assessment should be performed
- Does the entity recommend quantifying risk?
- Does the entity recommend measuring risk/use of metrics?
- Does the entity require monitoring changing risk levels over time?
- Intended use of the risk assessment
- Framework(s) or tools cited by entity
Download the matrix of risk assessment guidelines from FAIR Institute LINK (Institute membership required).
2018 Cyber Risk Management Workgroup Steering Committee Members:
Greg Rothauser, Sr. Information Risk Manager, MassMutual
Allison Seidel, Information Risk Management, PNC
Steve Reznik, Director, Operational Risk Management, ADP
Brandon Young, Managing Director, Cybersecurity Framework & Risk Assessment, Charles Schwab
Rachel Slabotsky, Risk Consultant, RiskLens, Fmr. Risk Assurance Manager, Ernst & Young
The Workgroup found both commonalities and differences and documented these in a matrix with links to the source documentation. It should be noted that this is a point-in-time document; therefore, users are responsible for keeping up with new and changing requirements.
The Workgroup concluded that in some way, shape or form, a quality risk assessment should identify risks, i.e., the “what?”, and seek an understanding of “how?”, “how much?” and “how much less if we decide to make a change to the control environment?” Since FAIR is all about those “how” questions, then whatever your regulation of choice (or no choice!) says, applying FAIR principles will enable your compliance while helping to optimize risk management decisions.
For more advice on risk assessment characterization:
Entity specific content: