Manage risks for your most important assets

Information is valuable to any organization, so it must be properly protected. To do this, define your most valuable assets, make an inventory and define the measures taken or to be taken in order to protect them.

The inventory of assets and risk analysis

  • Identify essential information assets.
  • Manage the risks in order to define priorities and establish appropriate measures to reduce the risks (bringing them to an acceptable level) and potential impacts linked to assets in the information process

6-point risk analysis

For every essential asset it is important to conduct a risk analysis. It should be noted that section 3 of the EU GDPR recommends carrying out a risk analysis for all processes in which data of a personal nature is at risk.

  1. Establishing the context of your organisation
    • What is the specific context of your organisation/specific sector?
    • What is the acceptable level of risk for your organisation?
  2. Mapping out the context
    • Identifying essential assets
      • Collect information such as process flow, infrastructure, databases, and patents
      • Gather contracts with third parties (suppliers, subcontractors, IT providers, cloud – all external parties that manage infrastructure, applications or databases for your organisation)
    • Identifying the vulnerabilities and threats
      • Identify the possible risks in terms of confidentiality, integrity, availability and authenticity of data
      • In the literature, there is a general description of the notion of 'risk' such as the possibility ('probability') that a certain threat (profiting from a vulnerability) appears, leading to a certain impact ('gravity')
      • A risk is often expressed in terms of a combination of the consequences of an event (including changes of circumstances) and its likelihood
    • Performing an assessment of the impact
      • Compare the results of the risk analysis with the risk criteria to determine whether the risk and/or its importance are acceptable or justifiable
  3. Evaluating and handling risks 
    • Identify the organisational, operational and technical security measures already in place that safeguard the asset in question
    • Identify any additional organisational, operational and technical security measures to make it more secure
    • Evaluate the level of residual risk. Is the level acceptable for your organisation?
    • For the purpose of risk management, a distinction needs to be made between 'inherent' and 'residual' risk. The 'inherent' risk refers to the probability of a negative impact when no protection measures are taken. The 'residual' risk, on the other hand, refers to the probability of a negative impact despite measures taken to mitigate (limit) the (inherent) risk. Analysing the residual risk will allow you to select and develop actions/measures to take.
  4. Implementing checks 
  5. Monitoring: evaluating the measures taken & the risks
  6. Add new assets to the risk analysis (iterate from point 1) 

Your risk analysis is a dynamic process that needs to be continually updated in view of incidents, process modifications, tool maintenance, modification of essential assets, etc. 

What method to use

A risk analysis method can be found in the 'Méthode Optimisée d’analyse des risks Cases' (Monarc). A more detailed approach can be found in ISO 27005:2011.

Your risk analysis can be very simple, or can be very detailed. Everything depends on the size of your organisation, the complexity of the projects and the sensitivity of the data that you handle. However, do not underestimate the work involved, because even if a project appears simple, the associated risks could be significant. Therefore, there is no correlation between the size of a project and its associated risks. In order to check the accuracy and comprehensiveness of your risk analysis, it has to be verified by different people in your organisation.

Generally, organisations are free to choose the methodology they want to use, provided it meets a certain number of minimum requirements in terms of confidentiality and objectivity. 

The result of your risk analysis will be your security plan. To arrive at this plan, you must prioritize security measures that need to be established in order to have an implementation plan that can be approved by management.