Interim reports and recommendations — These key reports are often issued during this process to document 0significant activity, decisions, and agreements related to the project:

•  Project sizing — This report presents the results of the project sizing task. The report is issued to senior management for their review and concurrence. This report, when accepted, assures that all parties understand and concur in the nature of the project before it is launched.

•  Asset identification and valuation — This report may detail (or summarize) the results of the asset valuation task, as desired. It is issued to management for their review and concurrence. Such review helps prevent conflict about value later in the process. This report often provides management with their first insight into the value of the availability, confidentiality, or integrity of their information assets.

•  Risk evaluation — This report presents management with a documented assessment of risk in the current environment. Management may choose to accept that level of risk (a legitimate management decision) with no further action or to proceed with risk mitigation analysis.

Establish Risk Acceptance Criteria

With the results of the first risk assessment determined through the risk evaluation task and associated reports (see below), management, with the interpretive help from the IRM leader, should establish the maximum acceptable financial risk. For example, “do not accept more than a 1 in 100 chance of losing $1,000,000,” in a given year. With that, and possibly additional risk acceptance criteria, such as “do not accept an ALE greater than $500,000,” proceed with the task of risk mitigation.

Mitigate Risk

The first step in this task is to complete the risk assessment with the risk mitigation, costing, and cost/benefit analysis. This task provides management with the decision support information necessary to plan for, budget, and execute actual risk mitigation measures. In other words, fix the financially unacceptable vulnerabilities.

Safeguard selection and risk mitigation analysis — This task includes the identification of risk-reducing safeguards that mitigate vulnerabilities and the degree to which selected safeguards can be expected to reduce threat frequency or impact. In other words, this task comprises the evaluation of risk regarding assets and threats before and after selected safeguards are applied.

Cost benefit analysis — This task includes the valuation of the degree of risk reduction that is expected to be achieved by implementing the selected risk-reducing safeguards. The gross benefit less the annualized cost for safeguards selected to achieve a reduced level of risk, yields the net benefit. Tools such as present value and return on investment are often applied to further analyze safeguard cost effectiveness.

Final report — This report includes the interim report results as well as details and recommendations from the safeguard selection and risk mitigation analysis, and supporting cost/benefit analysis tasks. This report, with approved recommendations, provides responsible management with a sound basis for subsequent risk management action and administration.

---

NOTE:The above risk assessment tasks are discussed in detail under the section “Tasks of Risk Assessment” later in this chapter.

---

Monitor Information Risk Management Performance

Having established the IRM program, and gone this far — recommended risk mitigation measures have been acquired/developed and implemented — it is time to begin and maintain a process of monitoring IRM performance. This can be done by periodically reassessing risks to ensure that there is sustained adherence to good control or that failure to do so is revealed, consequences considered, and improvement, as appropriate, duly implemented.

Strategic risk assessment plays a significant role in the risk mitigation process by helping to avoid uninformed risk acceptance and having, later, to retrofit (typically much more costly than built-in security or avoided risk) necessary information security measures.

There are numerous variations on this risk management process, based on the degree to which the technique applied is quantitative and how thoroughly all steps are executed. For example, the asset identification and valuation analysis could be performed independently. It is a business impact analysis. The vulnerability analysis could also be executed independently.

It is commonly but incorrectly assumed that information risk management is concerned only with catastrophic threats, and that it is useful only to support contingency planning and related activities. A well-conceived and well-executed risk assessment can and should be used effectively to identify and quantify the consequences of a wide array of threats that can and do occur, often with significant frequency as a result of ineffectively implemented or nonexistent information technology management, administrative, and operational controls.

A well-run information risk management program — an integrated risk management program — can help management to significantly improve the cost-effective performance of its information systems environment whether it is mainframe, client-server, Internet, or any combination — and to ensure cost-effective compliance with regulatory requirements.

The integrated risk management concept recognizes that many often uncoordinated units within an organization play an active role in managing the risks associated with the failure to assure the confidentiality, availability, and integrity of information. The following quote from FIPSPUB-73, published June 30, 1980, is a powerful reminder that information security was long ago recognized as a central, not marginal issue:

Security concerns should be an integral part of the entire planning, development, and operation of a computer application. Much of what needs to be done to improve security is not clearly separable from what is needed to improve the usefulness, reliability, effectiveness, and efficiency of the computer application.