Being aware of the risks provides companies with a balanced framework for Governance, Risk and Compliance.
So far, the increasing dependence on information and communication technologies has also increased certain risks to which companies are exposed, and so, they need to be managed, by applying security and safety safeguards. This allows companies to prevent conflicts, duplication of activities and no man’s land through an effective and efficient use of IT.
Firstly, what is risk? We understand as a risk, the exposure of an asset to a threat that may occur with a certain frequency and cause damage to the asset and devaluate its worth.
In the next diagram, it is shown the logic taken into account in a risk assessment: the company has assets, which have value, and over those assets, some threats materialise and produce a degradation over the assets. These threats may occur with a certain frequency and so, they have an impact on the assets. In order to mitigate the frequency, it is necessary to apply safeguards, which will mitigate the risk, and as a consequence, limit the damage too. The risk resulting from applying safeguards to the risk is the residual risk (which should be lower than the risk).
Does it mean that with a risk management plan, we avoid a hundred per cent of all risks that can arise in a company? Absolutely not. Risk zero can not exist, but we can mitigate though. Nonetheless, being aware of these risks helps governing bodies take informed decisions balancing risks and opportunities.
A risk management plan must start with a risk assessment. And for that matter, there are five different security dimensions that must be considered:
- Availability: consists of the readiness of the services. They need to be prepared when necessary; otherwise, it can cause an interruption of services.
- Integrity: the information needs to be complete and correct, if not, the information would be altered, corrupt or incomplete.
- Confidentiality: only persons who need access to the information, must have access to it. Lack of confidentiality can cause non-authorised access and leaks of information.
- Authenticity: who originates or accesses to data and information is who claims to be.
- Accountability: it is essential to be able to determine who did what and when in order to analyse incidents and learn about incidents.
For a company, it is important to make a first deep analysis of its architecture, and sometimes it can be difficult because not only it is important to know the assets of the architecture (for which we consider any component or function that may be affected by an attack), but it is also important the value of an asset. This value is what makes an asset object of attack, and so it is important to protect.
In TRANSACT project it is particularly important to count with a risk management plan. Firstly, because of the use of new technologies such as artificial intelligence, which entails more risks. And secondly, it started with a monolithic architecture which has evolved to a three tiers architecture. To see the whole picture, there have been two different risk assessments: one for the original architecture, and a second one for the distributed architecture, so there would be a comparison between both architectures.
As a result of this comparison, it is concluded that in a distributed architecture, whilst the company needs to face more threats, the risk level is usually lower. This may sound contradictory, nonetheless, in the first architecture, the use cases owners usually rely on the end user to update the system and make good use of it. Now, instead of that, the use cases owners can monitor the system.
After the risk assessment, it is important to have a risk treatment plan, which consists of applying safeguards to those risks above the acceptable risk level. The safeguards must be adapted both to the company and to the asset to which affects the threat. What that means is that it is pointless to propose a safeguard in the risk treatment plan that cannot be materialised in the company, or to expend a huge amount of money on applying safeguards to an asset that, in case the threat materialises, the impact would be minuscule.
Finally, it is important to consider the risk management plan as a process and not as something intermittent. Companies need to consider risk as something dynamic instead of static. Therefore, it is crucial to revise the already-identified threats and assets, and also check the existence of new risks.