A Security Policy Framework for IT Risk Assessments

The completion of an information security risk assessment is a key requirement in all information security frameworks, including ISO 27002, NIST 800:53, HIPAA and PCI-DSS.  A recent analysis of regulatory enforcement under HIPAA identifies risk assessment as a key area of weakness.

While risk assessments are required, the specifics for how to perform a risk assessment are purposefully vague in many regulations.   There are both qualitative and quantitative methods.  There are many different types of IT risk and threat models.  The only widely accepted standard – NIST 800-30 Guide for Conducting Risk Assessments – can be very complicated and not practical for many small and medium-sized businesses.

Regardless of how the risk assessment is performed, there are some key areas where the IT risk management processes intersect with information security controls and thus written security policies.  In this article we discuss a few of those key control points and how your risk assessment policies can best support your information security program.

Risk Management Controls

There is a subtle but clear distinction between the term “risk management” and “risk assessment.”  We view a risk assessment as a specific exercise that is undertaken at a point in time.  (For example, a single organization-wide risk assessment that identifies key systems and the threats to those systems.)   We use the term “risk management” to describe the ways in which specific risk assessments are integrated with the ongoing process of identifying and managing risks.

Risk Management Roles and Responsibilities

Your written information security policies should clearly define the requirements for defining roles and responsibilities for risk management.  These can include such groups as a Risk Management Steering Committee or individual such as an IT Risk Specialist that has specific training in identifying vulnerabilities on specific IT systems.

Information Technology Risk Framework

One of the keys for successful IT risk management is to coordinate the activities with the rest of the organization’s risk-management program.   For example, publicly traded companies are often performing operational risk management for Sarbanes-Oxley compliance.

If other parts of the organization are working on risk management, the Information Security Risk Management program should try to align with this process as much as possible.The integration points can be very simple, such as picking a risk measurement methodology or using a similar risk and control taxonomy.

Risk Assessment Controls

Identifying Critical Assets

Within the risk assessment process itself, many regulations specifically require that the organization consider all threats and vulnerabilities that may impact the organization.  To do this, the organization must first understand the different types of information and technology assets by completing an IT Asset Inventory.

Sample Policy: IT Asset Inventory – The Information Systems Department must prepare an annual inventory of production information systems detailing all existing production hardware, software, and communications links.

Establishing Information Security Controls

Since an IT risk assessments can be long and complex, it is easy to lose sight of its true purpose – to establish an internal control baseline that mitigates risk.  The reason this is so important is that it is these very controls that must be documented within your written information security policies.

Within the scope of risk management, information security controls are designed to either reduce the “likelihood” of a threat event happening or reduce the “impact” of an event.

Risk Assessment Scope

Another key policy element is the scope of risk assessments.  Written information security policies should define both the types and scope of risk assessments that will be performed.   For simplicity sake, there are two common levels of risk assessments – organization and system specific.  Most organizations will need to complete at least a single Organization Wide Risk Assessment on an annual basis.   If the organization is very large, the environment might be separated into different risk domains – say by organizational unit.  For example:

Sample Policy:  Business Unit Risk Assessment – Each critical organizational or business unit within Company X that manages its own computers or networks must also perform, at least annually, a security-related risk analysis of these same systems, coordinated through the Information Security Department, and then certify that adequate security measures have been implemented to mitigate the risks.

Risk Reporting Controls

To have an effective risk governance process, the results of IT risk assessments should be communicated to senior management or any other stakeholders with are responsibility for risk management.

Sample Policy:  Annual Information Technology Risk Report – IT management must submit to the Board of Directors a special annual report. This report is to include a description of all material Company X information technology-related risks, as well as an assessment of how these risks are currently being managed.

Risk Treatment Controls

As part of risk management, the organization must consider how to treat risks that are identified and not properly mitigated by IT controls.   Typically this process involved the following options:  (1) Accept Risk, (2) Defer, (3) Mitigate or (4) Insure.

Whatever the outcome, the important control point is that the organization makes a formal decision regarding risks.   This is another option for demonstrating due-diligence that is often overlooked.   Even if the risk assessment is not perfect (which they are not almost by definition), the organization can strive for excellence is performing the steps necessary to achieve a reasonable result.

Sample Policy:  Material Information Security Risks – For every materialsignificant information systems security risk identified management must make a specific decision about the degree to which Company X will be self-insured and accept the risk, seek external insurance, or adjust controls to reduce expected losses to an acceptable cost of conducting business.

Cyber Insurance Coverage

In many organizations, the link between business insurance and information security risk management does not exist.  However, the dramatic increase in data breaches has driven a corresponding growth in “cyber” insurance policies.  The market for specific cyber insurance policies is still new and evolving rapidly.  In theory, however, insurance coverage should be designed to cover risks that are not properly mitigated within the existing security program.  This link can be express in written policy as follows:

Sample Policy:  BCP and Insurance – Company X will maintain insurance commensurate with those residual risks identified from a corporate BIA which pose potential for financial loss or other disastrous consequences, as well as the expenses related to recovering from a disaster. 

Policies such as this one help to create awareness that there are many facets and types of losses to a potential disaster that must be considered when scoping and pricing insurance coverage.


While the types and scope of risk assessment can vary dramatically, an organization can still adopt a very structured approach to management the risk assessment process, especially within written security policies.   These various control points are also listed within the Information Shield Common Policy Library (CPL) and specifically within our Sample IT Risk Assessment Policy.