Of course, information assets vary in value from business-critical to of little or no importance, and an information risk assessment is designed to differentiate between them.
Assess the information assets held in the organisation against the following three criteria:
The confidentiality of information such as HR or payroll records, financial accounts, customer data and intellectual property. For example, if employees’ or customers’ personal details were compromised, this could constitute a breach of data protection regulations.
The integrity of information which has to be accurate and remain so in order to maintain key functions of the organisation, such as design and manufacturing data, task-specific health & safety information or financial reporting in the case of a listed company. For example, if a competitor or disgruntled employee accessed and changed the data, the impact could be considerable.
The availability of information when it is required, such as employee time sheets at the end of the month, or production line operating data on weekdays 8.00am to 6.00pm, 50 weeks a year. If the data were unavailable within these times, it could be critical. For example, if time sheet records cannot be accessed, employees cannot be paid.
The acronym ‘CIA’ makes these criteria easy to recall.
When assessing the information, make a value judgement about the risks arising from that information being compromised against the CIA criteria, and the level of severity of the consequences.
Business impact analysis
From the assessment of your information assets, you will have the insight to produce a business impact analysis, showing the respective risks and consequences, whether they be financial, human, logistical or reputational.
In turn, doing this enables you to manage those risks in the manner that is most appropriate to your organisation by selecting and justifying the most suitable countermeasures as part of your information security strategy. This will include analysing the cost of the countermeasure proportional to the impact of the threat it is designed to mitigate. Having reasonable measures in place may provide no guarantee that an unauthorised party – with sufficiently strong motive and determination – will not successfully access information of interest to them.
Of course, it may be that no countermeasures are deemed necessary to safeguard against certain risks, but at least you will have knowledge of the consequences.
Information risk assessments should be carried out periodically at regular junctures, or to reflect changes in types of information held, business structure and evolving threat landscape.