Risk management. Risk assessment. Risk analysis. High Risk. Low risk. The deeper you get into information security compliance, the more you start whining the word risk the way Jan Brady would scream, “Marcia! Marcia! MARCIA!” We hear the term so much it almost seems to lose meaning. However, the difference between a risk assessment and a risk analysis can be the difference between a data breach and security control.
Risk Assessment vs Risk Analysis
What is a Risk Assessment?
A risk assessment means you’re looking at the risks that external and internal threats pose to your data integrity, confidentiality, and availability. To thoroughly assess risks, you need to identify all potential events that may negatively affect your data environment and data ecosystem.
Examples of data risks:
- Data loss: a storage device fails, and you no longer have access to information
- Data corruption: A ransomware attack or malware infection corrupts the information making it unusable.
- Data breach: an unauthorized user gains access to your information systems, database, networks, or software
- Deanonymization: your data can be matched to personally identifiable information or your encryption fails.
What is a Risk Analysis?
A risk analysis takes your assessment one step further. When you analyze risk, you take a look at the risks you identified and determine how much damage they can cause. To analyze the risk, you need to consider not just what potential events can occur but how much harm they pose using qualitative or quantitative analysis. To analyze risk, you need to combine the likelihood of the event with the impact of the event.
Examples of risk analysis:
- Probability: the likelihood of the risk can often be quantified using historical data and security control reviews. High risk means that something has happened before and is likely to happen again, such as a malware infection. Low risk is something that may not have occurred in the last five years but remains a potential threat, such as a disgruntled employee stealing information.
- Impact: If a potential event can have a high impact on your business continuity or financial strength, then its likelihood may matter less. For example, your controls may seem adequate but the average cost of a data breach in the 2018 Ponemon Study was $3.86 million.
How to use a Risk Assessment to create a Risk Analysis
The most important aspect of the risk analysis is ensuring that you have adequately reviewed and cataloged all the potential events that can impact your data. Assessing risk means thinking creatively.
For example, if you’re a Covered Entity as defined by the Health Insurance Portability and Accountability Act (HIPAA), then you know your risks can lead to monetary fines. Perhaps, you’ve assessed your security risk and reviewed the controls in place that protect the data and protected health information (PHI) you collect.
However, you also need to assess your business associates, often third-party vendors. Anyone who comes into contact with your systems, software, and networks can be a risk. If you’re using a Software-as-a-Service platform to gather data, then you need to assess that vendor’s security controls and determine whether they align with your risk tolerance under HIPAA’s Security Rule.
A risk assessment that reviews all the potential threats to your data includes the risks third-parties pose as well as the risks inherent in your environment.
How to use Risk Analysis to prioritize risks
Not all security risks are created equally. Perhaps something has an impact but really low potential. Meanwhile, another event has a low impact but a really high likelihood. Understanding how to prioritize your actions can save time and effort.
For example, a high risk-high impact event would be a zero-day attack, where hackers find a way to exploit a previously unknown vulnerability. To protect your data environment, you need to put these risks and mitigation of these risks at the top of your “to do” list. Ensuring continuous security patch updates acts like one of those controls. Therefore, you’ve used your risk analysis to find a way to combat a high-risk threat.
A medium-risk event might be a former employee stealing information after employment termination. Most employees merely go from one job to the next. Others might be disgruntled. Protection against this would be scheduling regular user-access reviews. However, since the likelihood is low even though the impact is high, you don’t need to do one immediately after someone leaves. You can determine a review frequency based on how often this has happened in the past, the policies you have in place, and job descriptions.
Low-risk events include someone breaking into your offices and stealing devices. The chances of someone taking your office’s devices is low. Meanwhile, if you’re not storing anything on them, the likelihood of a data loss is also low. The event impacts your need to purchase new devices but may not risk your information. Therefore, your controls and time spent reviewing them occur less often.
Why automating your risk prioritization streamlines your risk mitigation
While you need to make sure that you focus your efforts on the events that can impact your data the most and are most likely, you can’t merely ignore low risks. For companies struggling to keep up with the continuously evolving threats to their data environments and ecosystems, low priority events may become forgotten or pushed aside.
With a security-first approach to information security, you always focus on data protection first. As such, a continuous monitoring program allows you to keep an eye on the risks to your data no matter how impactful or likely those risks are. In the meantime, you can use the same automation to ensure a regular review of the low priority risks as well.
Scheduling regular reviews through calendars and email can become overwhelming. You know how it works. You plan a user access review with human resources. They’re busy setting up a series of new hires. The review gets postponed. The reschedule the event. You have to keep creating reminders and sending emails. All of this extraneous work takes time away from more critical security risk management activities.
How ZenGRC enables the risk process
ZenGRC allows you to prioritize tasks so that everyone knows what to do and when to do it so that you can more rapidly review the “to do” lists and “completed tasks” lists.
With our workflow tagging, you can assign tasks to the individuals in your organization responsible for the activities involved in risk assessment, risk analysis, and risk mitigation.
Finally, with our audit trail capabilities, you can document remediation activities to prove that you maintained data confidentiality, integrity, and availability as required by law.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.