List the existing controls for each risk
Run a workshop with the right stakeholders to identify the existing controls for an information system.
There will already be controls in place to reduce the likelihood or impact, or both, of an information system’s risks. Controls will be present regardless of whether the risk assessment is for an information system that is:
- part of its development life cycle.
Stakeholders for existing controls
For this part of the risk assessment process for an information system, the stakeholders needed in the workshop are the:
- business owner
- subject matter experts who can identify and describe the controls that are currently in place.
Assessing the existing controls
If there is evidence about the effectiveness of the existing controls, make sure these stakeholders use it in assessing the controls. Otherwise, the Australian Cyber Security Centre has a list of controls, called ‘strategies’, that your team can use for assessing each control’s effectiveness.
Controls that reduce the likelihood of risks
These discourage potential attackers. Examples are:
- establishing a policy for information security
- a warning message on login screens
- Kensington locks
- security cameras.
These proactively limit opportunities for exploiting information systems. Examples are:
- a process for managing user accounts
- restricting server-room access to authorised personnel
- configuring appropriate rules on a firewall
- implementing an access control list on a file share.
Controls that reduce the impact of risks
These are measures in place that identify when an incident has occurred. Examples are:
- reviews of security logs for servers or firewalls
- Intrusion Detection System (IDS) alerts.
These fix the components of an information system after an incident has occurred. Examples are:
- data backups
- structured query language (SQL) transaction log shipping
- plans for business continuity and disaster recovery.
Problems with existing controls
During the risk assessment, it’s possible that you and the stakeholders identify current controls as being either:
- not sufficient
- no longer relevant.
Troubleshooting existing controls
If your team reaches one of those conclusions for an existing control, assess whether it should be either:
- removed and replaced by another, more suitable control
- stay in place and strengthened by adding 1 or more complementary controls.
These notes will help the business owner when evaluating the risks to the information system.
Find the final risk ratings
For now, the business owner and stakeholders need to find the final risk ratings, taking into account the existing controls as they are.