Risk treatment plans are an essential component of an organization’s information risk management and security strategy program. It is unrealistic to expect organizations to immediately mitigate or resolve all material information security risk as soon as it is identified. At the same time, once risk has been identified, organizations can be held accountable for it. As a result, they must be able to demonstrate that they are addressing risk appropriately within reasonable time frames and with sufficient effort. If developed and executed effectively, risk treatment plans can provide a documented and measurable approach to demonstrate to an organization’s key stakeholders, business leaders, constituents and interested parties that they are managing and/or mitigating their identified information-security-related risk with reasonable and defensible approaches and time lines. The following are 5 key considerations for organizations when developing information security risk treatment plans:
- Ensure risk is properly and comprehensively identified within a risk treatment plan—It is important to identify the full scope of the identified risk and not just its symptoms or indicators. This will ensure that the plan will effectively address the entirety of the risk and not just components of it.
The narrative that describes the identified risk in the plan should include negative or concerning material business impacts that would impact the organization if the risk were realized and describe the probability of occurrence. These outcomes should be aligned with business expectations, goals and requirements to establish risk ratings associated with them. They should also be described in a way that makes them easily understood by the intended audiences who are expected to participate in the risk treatments prescribed in the plans.
It is also important that the method by which the information security risk is identified and assessed is documented in the risk treatment plan. The rationale for the risk treatment approach should also be documented. One way to comprehensively qualify and quantify the identified risk in the plan is to perform a threat and vulnerability analysis of the identified risk.
By using data-driven and evidence-based threat and vulnerability analysis, the credibility and defensibility of the organization’s information risk identification process will significantly increase. Even if there is disagreement on the results of the analysis, an organization can demonstrate that it developed its risk treatment plan based on a reasonable and comprehensive analysis. - Identify the measurements for success—One common challenge in the development or evaluation of risk treatment plans is to measure their success in achieving their intended outcomes or goals. It is important to include key performance indicators (KPIs) and other objective measures that can be easily identified and understood by interested parties to allow them to track the progress of the implementation of the risk treatments prescribed in the plans. It can be useful to identify multiple levels of risk mitigation that will occur at different points during the implementation of the risk treatment plan. For instance, if the risk treatment plan calls for the patching of systems or applications, a tiered method that shows the reduction of risk after specific key or high-risk systems have been addressed may be useful in demonstrating progress.
Another key measurement for success for risk treatment plans is the use of assurance methods and practices to support the concept of “trust, but verify” to validate the success of the plan’s implementation and the achievement of the intended reduction or mitigation of risk. Risk treatment plans should include assurance methods and practices such as the use of vulnerability scanning in the patching example. These types of tests will independently verify the successful implementation of the plan and provide an objective artifact to support this assertion. - Identify compensating controls—It is often the case that risk treatment plans require time and effort to comprehensively implement while the risk they will mitigate or manage still exists. A core component of any risk treatment plan should be to identify, document and implement compensating controls whenever possible as a temporary risk mitigation until the preferred measures can be put in place. In some cases, the compensating controls can be used as the permanent risk treatment as long as they are able to effectively meet an organization’s identified risk mitigation and management goals.
Compensating controls should be able to mitigate or manage risk with the same or reasonably close to the same impact as the intended permanent risk treatment measure to be considered effective. When considering compensating controls in a risk treatment plan, it is important to evaluate their effectiveness compared to resolving the issue that created the security risk directly. The plans should include reasoning for the use of the compensating controls, why the organization believes the compensating controls are appropriate and how they can be evaluated for their effectiveness. - Identify requirements to successfully execute the risk treatment plan—Risk treatment plans will be effective only at mitigating, managing or removing risk if the organizations for which they are developed are committed to their execution. While many organizations may be committed to successful and comprehensive implementation of these plans in theory, they may not understand the full scope of the required effort until after they begin to be executed. In some cases, audit, risk and security professionals develop risk treatment plans with the inaccurate expectation that they have the support of the organization without first comprehensively or accurately identifying the time, money and/or people that will be required for their successful execution. Unfortunately, in these cases, these professionals often discover that the organization may not have the capacity or appetite to support the execution of the developed risk treatment plan. This requires security professionals to redevelop the risk treatment plan to align with available appetites and capacities.
To mitigate this risk, practitioners should identify these requirements to affected stakeholders prior to documenting them in the risk treatment plans. These data points can then be socialized to the affected stakeholders, business process owners and business leadership within the organization to identify their ability and interest in executing them, and give them the opportunity to appropriately prioritize their resources and activities to accommodate their execution. Once a level of commitment has been agreed upon, these data points can be added to the risk treatment plan. - Determine the defensibility of the risk treatment plan—A risk treatment plan will only be useful if the audiences for which it is developed believes the plan is reasonable, appropriate and will be effective. This can be considered the “defensibility” of the plan. When developing risk treatment plans for critical and high-risk mitigation activities, organizations should have the plans evaluated and scrutinized with knowledgeable and competent stakeholders and/or constituents prior to their approval or execution by an organization.
These individuals should not be part of the risk treatment plan development, but should have knowledge and understanding of the identified risk. They should be encouraged to ask challenging and comprehensive questions about the plans to ensure their efficacy, viability and comprehensiveness. This type of review will help to ensure that the risk treatment plans have accounted for all their requirements and key concerns and can stand up to adversarial concerns and criticisms. It also helps to endear these stakeholders to the plans, which often will result in their support of execution.
Risk treatment plans can be used to establish expectations and requirements for projects, activities and actions to manage, mitigate and/or remediate an organization’s material information security risk. Once an organization becomes aware of a risk, it becomes accountable for addressing it. Risk treatment plans provide evidence to support an organization’s commitment to appropriately mitigate and manage material information security risk and ensure that risk scenarios are not ignored.
John P. Pironti, CISA, CRISC, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.