Risk Management Basics

Almost nothing works like it should. In IT we have the means to make the things happen. We so not want things to behave outside the defined behaviour. Unfortunately, some bad guys and nature do not always allow us to achieve our goal. In the consequence we should be prepared for the unwanted. Being resilient to unintended use, manipulations or even fraud becomes more and more of relevance. 

The EU understood this and forces all EU market participants to think in advance about the negative impacts a misuse, manipulation or failure of their provided solution or parts thereof may have. TrustSource has taken the challenge and provides a simple approach to support Risk Management and  its documentation in a very easy to handle manner. This allows even small companies or teams to simply  manage their risks, improve the resilience of their solution, without much of a hassle or zillions of consulting hours (despite we would be happy to help ;-)). 

Risk - What is this?

From an application point of view everything that has a negative impact on one of the three security goals Confidentiality (C), Integrity (I) or Availability (A) may be seen as a risk. Sometimes it is criticised that this does not comprise any financial dimension. But even financial impacts just are the influence of some impact on any of the three, e.g. a process did not terminate and caused expenses. Thus the integrity of the system has been impacted, creating additional costs. Finance is just the measure for the severity of the impact, not the impact itself.   

Scope

From a product point of view, there may be additional risks, that relate to the specific features or capabilities of a product. But essentially you may assume that it will also impact one of these three aspects of your product. 

And here we see the first important aspect, when we start talking about Risk Management: the scope. must be clearly defined. A Risk Management for an organisation will result in totally different risks than a product or solution specific Risk Management.

Lead Question

There is a plethora of risk management approaches and an even larger set of risk management frameworks. One more complex than the other and ISO, IEC whatever-style. They have been defined for a zillion different sectors and company sizes. Meanwhile we supported many customers of different company size. Whether ISO/IEC 27005-2018, NIST Cyber Risk Management, EU ITSRM, CIRCULAR CSSF BSI Standrad 200-2, OCTAVE-S, Allegro or Forte, ETSI TS 102, AML/CFT National Risk Assessment, Mehari oder Magerit. Finally they all care about one question, as Adam Shostack - a leading head in the domain of Threat Modelling and senior security advisor, author and former Microsoft Manager  - burns it down to: "What could go wrong?".

Process

TrustSource offers on each level a simple list containing the following columns:

• Date 
• Name
• Impact class
• C (= Confidentiality)
• I (=Integrity)
• A (=Availability)
• Impact description
• (Business-)Value
• Counter measures
• State
• Level

Thats it.

You may take a module as your scope for example (SCOPE). You sit with your team and brainstorm the question: "What could go wrong?" and collect the results in the table (IDENTIFY). When the collection is done, you take the list and step through it from top to bottom and describe the impact, maybe you even assess the (business)value (EVALUATE). In a next round you may think about what you want to do (FOLLOW UP). Repeat on a regular base and your Risk Management is complete.  

You may add lines, change the state or entries whenever appropriate. Every change will be logged. The status is always close to the code. Your managers may view the consolidated risks across all modules of a project in the project or the consolidated project risks across the project portfolio. The status can be exported during a release and therefore, you are not only always up to date, you also are always capable to report for any upcoming audit.