Project Definition

Creating a risk assessment project requires knowledge of the budget, objective, scope, and level of rigor of analysis expected.

Success cannot be achieved until the meaning of success is defined. For a risk assessment project, success is defined as achieving customer satisfaction, quality technical work, and project completion within budget.

Customer

The customer is primarily the project sponsor. The secondary customers include any other stakeholders in the process, including:

  • security officer or security team
  • business unit managers
  • compliance officer legal department
  • risk assessment method
  • risk assessment team
  • objective review
  • security professionals
  • technicians, operators, and administrators

Quality

The quality of work is very important, since most customers will view the success of the project based on the final report.

Quality Expected in Any Report:

  • grammatically correct
  • visually pleasing
  • addresses its intended audience

Quality Expected in Technical Reports:

  • technically accurate
  • describes approach
  • clearly presented conclusions

Quality Expected in Security Risk Assessment Reports:

  • clear and accurate indentification of risk
  • adequate and relevant evidence
  • clear and relevant recommendations
  • clear compliance results

Budget

The budget helps define the rigor of the risk assessment. A $250,000 risk assessment will need more rigor than a $50,000 risk assessment. Some factors include the organization size, geographic separation, complexity, and threat environment

Objective

The objective needs to be set at the beginning of the project. Example – “accurate analysis of the effectiveness of current security control that protect an organization's assets.

Limiting the Scope

The boundaries of a security risk assessment are determined by the sponsor of the security risk assessment. Identifying the security risk assessment boundaries is essential for the security risk assessment team to ensure that neither underscoping nor overscoping occurs.

Security Controls and Assets

Group controls by Management-Operational-Technical (MOT). Group assets by Tangible and Intangible.

Identifying System Boundaries

There are many ways to set the boundary for a risk assessment such as physical (workstations, firewalls) or logical (don't assess functions from another assessment).

Specifying the Rigor

The rigor should be based on the maturity of the security program. The risk assessment could last 1 week to 6 months.

Project Description

Set the scope, boundaries, and rigor. Have a statement of work that specifies the work to be performed, including threats, assets, controls, and tasks of the security risk assessment. The “service” can/should be described as

an objective analysis of the effectiveness of the current security controls that protect an organization's assets and a determination of the probability if losses to those assets. Such analysis shall consist of an identification of tangible and intangible assets under protection, an identification of the threats to and vulneravility likelihood, the impact of the threat to the identified assets, and recommendations for security controls to mitigate the risks.

Last modified January 13, 2020