Governance, risk and compliance-related "residual risks" are risks left over after an organization applies security...
controls to ensure compliance with laws and regulations. It's important to remember that these residual risks might be acceptable with regard to one regulation, but not others.
Residual risks might eventually become more tolerable due to changes in compliance data requirements and/or risk management methodologies. For example, security controls to offset risk may become more cost-effective and/or technologically advanced as risk assessments evolve, thereby lowering the threat level.
You should determine your organization's GRC requirements by checking the business' relevant regulations. Each has different data retention requirements for different document types.
Organizations can best determine residual risks after undertaking the following risk mitigation efforts:
- Identifying governance, risk and compliance (GRC) assets, including software, hardware and data sensitivity level.
- Identifying vulnerabilities and threats.
- Completing the initial risk assessment process.
- Identifying current security controls used to offset risk.
- Determining whether those security controls are preventative, detective, corrective, recovery-focused, directive or deterrent.
- Assessing each security control's strengths and weaknesses.
To complete the risk assessment, organizations should undertake mitigation steps and report the results -- including the status of any residual risks -- to corporate leadership, then review residual risks and update them accordingly.
Here are five steps to handle residual risks as part of the risk assessment process.
Step 1: Identify residual risks
First, it's important to identify initial risks, whether you have rated them as weak, moderate or high. Once that's completed, you can implement security controls.
You should deem residual risks "high" if security controls for the initial risks are weak; "moderate" if security controls for "high" initial risks are adequate, or security controls for the low initial risks are weak; and "low" if security controls for the high, medium or low initial risks are strong, or if security controls for the medium- or low- rated initial risks are adequate.
Step 2: Identify relevant GRC requirements
You should determine your organization's GRC requirements by checking the business' relevant regulations. Some examples of regulatory requirements include those under the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.
Each of these regulations, and many others, has different data retention requirements for different document types. Organizations must determine what specific data requirements apply to them.
Step 3: Identify security controls
Your next step is to identify applied security controls and any resulting residual risk. These controls include:
- Preventative security controls, which are designed to avoid information disclosures or alteration of GRC- sensitive information. Examples of preventative security controls include multi-modal biometric authentication, clustered servers, encryption, nested firewalls to block unauthorized networks, and policies to prohibit unauthorized network connections.
- Detective security controls, which identify unauthorized or undesired activities after an event has occurred. Examples include intrusion detection systems, automated log monitoring, system audits, virus scanners and file-integrity checkers.
- Corrective security controls, which respond to and recover from an incident, as well as prevent future occurrences. They also limit further damage from an attack. Corrective security controls include incident response systems, procedures to remove a virus from the infected system, and updated firewall rules to block an attacking IP address.
- Recovery-focused security controls, which return the system to production mode after an incident. One example is using a backup tape to restore data after disk failure.
- Directive security controls, which outline actions that should be taken to protect sensitive information. Examples include policies, procedures and guidelines.
- Deterrent security controls, which discourage security violations. One example is a policy stating that access to servers is monitored in an attempt to discourage unauthorized access.
Step 4: Determine how to handle unacceptable residual risks
Once you have reviewed security controls and determined your residual risks, offset these threats by considering the following options:
- Replacing security controls that have become outdated or are no longer available.
- Transferring residual risk management to other parties, including insurance agencies.
- Checking calculations to determine the likelihood that the initial risks will occur.
- Updating an organization's risk assessment to reflect changes if upgrades to security controls, hardware and software are major due to residual risk.
Step 5: Apply any changes to residual risk status
Gather a list of residual risks that are unacceptable after you have applied security controls to the initial risks. For each of these residual risks, periodically check for any changes to the applied security controls.
More on risk management strategy
Modern businesses forced to take converged approach to managing risk
The benefits of proactive risk assessment and crisis management
Then, compare alternative, cheaper security controls from current and new vendors. Determine the ROI of each, and, if possible, apply the security control changes with the highest ROI.
Following these five steps can help you determine whether you should accept or reject residual risk. Remember to keep your eyes open: Cost-effective security controls that are currently unavailable may be on the market during your next round of risk assessments.
About the author:
Judith M. Myerson is the former ADP security officer/manager at a naval facility, where she led enterprise projects for its Materiel Management System. Currently a consultant and subject matter expert, she is the author of several books and articles on cloud use, compliance regulations, mobile security, software engineering, systems engineering and risk management. She received her master of science degree in engineering from the University of Pennsylvania and is certified in risk and information system control (CRISC).