This content is part of the Essential Guide: How to hone an effective vulnerability management program
Manage Learn to apply best practices and optimize your operations.

Five steps to determine residual risk during the assessment process

Even the best security controls have data management gaps that create risk. Here are steps to identify and offset residual risk during an assessment.

Governance, risk and compliance-related "residual risks" are risks left over after an organization applies security...

controls to ensure compliance with laws and regulations. It's important to remember that these residual risks might be acceptable with regard to one regulation, but not others.

Residual risks might eventually become more tolerable due to changes in compliance data requirements and/or risk management methodologies. For example, security controls to offset risk may become more cost-effective and/or technologically advanced as risk assessments evolve, thereby lowering the threat level.

You should determine your organization's GRC requirements by checking the business' relevant regulations. Each has different data retention requirements for different document types.

Organizations can best determine residual risks after undertaking the following risk mitigation efforts:

  • Identifying governance, risk and compliance (GRC) assets, including software, hardware and data sensitivity level.
  • Identifying vulnerabilities and threats.
  • Completing the initial risk assessment process.
  • Identifying current security controls used to offset risk.
  • Determining whether those security controls are preventative, detective, corrective, recovery-focused, directive or deterrent.
  • Assessing each security control's strengths and weaknesses.

To complete the risk assessment, organizations should undertake mitigation steps and report the results -- including the status of any residual risks -- to corporate leadership, then review residual risks and update them accordingly.

Here are five steps to handle residual risks as part of the risk assessment process.

Step 1: Identify residual risks

First, it's important to identify initial risks, whether you have rated them as weak, moderate or high. Once that's completed, you can implement security controls.

You should deem residual risks "high" if security controls for the initial risks are weak; "moderate" if security controls for "high" initial risks are adequate, or security controls for the low initial risks are weak; and "low" if security controls for the high, medium or low initial risks are strong, or if security controls for the medium- or low- rated initial risks are adequate.

Step 2: Identify relevant GRC requirements

You should determine your organization's GRC requirements by checking the business' relevant regulations. Some examples of regulatory requirements include those under the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.

Each of these regulations, and many others, has different data retention requirements for different document types. Organizations must determine what specific data requirements apply to them.

Step 3: Identify security controls

Your next step is to identify applied security controls and any resulting residual risk. These controls include:

  • Preventative security controls, which are designed to avoid information disclosures or alteration of GRC- sensitive information. Examples of preventative security controls include multi-modal biometric authentication, clustered servers, encryption, nested firewalls to block unauthorized networks, and policies to prohibit unauthorized network connections.
  • Detective security controls, which identify unauthorized or undesired activities after an event has occurred. Examples include intrusion detection systems, automated log monitoring, system audits, virus scanners and file-integrity checkers.
  • Corrective security controls, which respond to and recover from an incident, as well as prevent future occurrences. They also limit further damage from an attack. Corrective security controls include incident response systems, procedures to remove a virus from the infected system, and updated firewall rules to block an attacking IP address.
  • Recovery-focused security controls, which return the system to production mode after an incident. One example is using a backup tape to restore data after disk failure.
  • Directive security controls, which outline actions that should be taken to protect sensitive information. Examples include policies, procedures and guidelines.
  • Deterrent security controls, which discourage security violations. One example is a policy stating that access to servers is monitored in an attempt to discourage unauthorized access.

Step 4: Determine how to handle unacceptable residual risks

Once you have reviewed security controls and determined your residual risks, offset these threats by considering the following options:

  • Replacing security controls that have become outdated or are no longer available.
  • Transferring residual risk management to other parties, including insurance agencies.
  • Checking calculations to determine the likelihood that the initial risks will occur.
  • Updating an organization's risk assessment to reflect changes if upgrades to security controls, hardware and software are major due to residual risk.

Step 5: Apply any changes to residual risk status

Gather a list of residual risks that are unacceptable after you have applied security controls to the initial risks. For each of these residual risks, periodically check for any changes to the applied security controls.

More on risk management strategy

Modern businesses forced to take converged approach to managing risk

The benefits of proactive risk assessment and crisis management

Then, compare alternative, cheaper security controls from current and new vendors. Determine the ROI of each, and, if possible, apply the security control changes with the highest ROI.

Following these five steps can help you determine whether you should accept or reject residual risk. Remember to keep your eyes open: Cost-effective security controls that are currently unavailable may be on the market during your next round of risk assessments.

About the author:
Judith M. Myerson is the former ADP security officer/manager at a naval facility, where she led enterprise projects for its Materiel Management System. Currently a consultant and subject matter expert, she is the author of several books and articles on cloud use, compliance regulations, mobile security, software engineering, systems engineering and risk management. She received her master of science degree in engineering from the University of Pennsylvania and is certified in risk and information system control (CRISC).

Let us know what you think about the story; email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Dig Deeper on Risk management and compliance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How does your organization determine residual risk during the risk assessment process?
You can show the change from Inherent to Residual which indicates the organizations dependence on the effectiveness of the control. If a critical risk is largely mitigated due to the presumed operation of a control or set of controls then it would be very useful for Internal Audit to validate that those controls are working as assumed.