The Risk Register

Evaluating and tracking security risks and remediations

As COVID 19 restrictions are relaxed organisations need to analyse the risks in the way individuals meet and work together. This usually involves some means of analysing potential risks and how they will be dealt with. To the computer security professional the concept of risk and how to minimise it will be old news. These risks might be from security issues or from failing to meet industry compliance guidelines.

Risk analysis is the process of investigating potential risk. The risk register is part of the wider risk analysis process and can be seen as a means to ensure that the findings of the analysis are addressed and kept under control. The analysis process could be extensive and detailed but the register allows tasks to be broken down and kept under control. The risk register will be the tool to monitor and control the risks that have been identified. The register will give individuals authority over specific risks. It is essential that those authorised have the knowledge, time and understanding to work with their particular tasks.

An on-line search will reveal a variety of risk register templates; either blank or with exemplar data. There is an advantage to starting from an existing register as this gives some idea of how risks might be categorised. The pitfalls include carrying over exemplar text that does not fit in well with the real system being investigated. There is also the problem of ‘known knowns’ and ‘unknown unknowns’. If a risk can be identified (known) then attempts can be made to tackle it. If a risk is unknown by definition it is not going to be on the risk register and can’t be addressed. The first stage of drawing up a risk register is to identify possible risks; relying on an existing template should not be seen as satisfying risk identification. These risks need to be clearly defined, with a concrete cause and effect. If a risk is not well defined then clear steps cannot be taken to control it.

Risks need to be prioritised both in terms of their possible severity and the order in which they should be dealt with. Addressing ‘low hanging fruit’ from within the register will improve security with limited effort. On the other hand some risks may require immediate addressing regardless of the resources required to do that.

Risks will not always need to be ‘solved’. In some cases the costs of mitigating a risk would exceed the possible financial loss from the risk itself. If it is not possible to overcome a risk then that decision should be accepted and noted on the risk register.

The risk register should specify the system to which it applies and the boundaries of the investigation. This will help eliminate entries over which the organisation cannot possibly control. The identified risks will need to be categorised as to their severity and measures put down as to how each risk will be alleviated or responded to and who is ultimately in charge of that risk.

It must not be seen as a ‘fire and forget’ process. The risk register is a living document that needs to be regularly updated. Even if there have been no changes in staff, systems or procedures the risk register entries need to be reviewed. A better means of accommodating a risk may be worked out and new risks identified. If a risk has been overcome and no longer has a place on the register; it and the resources assigned to deal with it should be removed from the register. Any changes need to be tracked and signed off then passed on to those allocated to deal with the risks.

More from Security

13/05/2024

eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post

08/05/2024

Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post

23/04/2024

UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post

25/03/2024

Digital Gift Card Issues

Both Apple and Google offer gift card services for use on their App stores.  Just as it states on the tin the card can …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories