Organisational Risk Profiling and Mitigation
What is it?
Risk profiling is the evaluation of an individual or an organisation’s exposure to risk. But while it includes the identification, assessment, and prioritisation of all threats to information assets, it balances this with the actual risk posed to the organisation. Because while information must be safeguarded, there must also be an inherent balance between confidentiality, integrity and availability. If a system is locked down to a state of impenetrability it also becomes unusable.
Organisational risk profiling therefore ensures that an appropriate strategy is established to determine what type of technique needs to be used to address existing or potential risks. The strategy is based on an evaluation of the threat posed combined with its potential to cause harm. Organisational risk profiling is also important in determining the appropriate investment in information security.
Why carry out Organisation Risk Profiling and Mitigation?
Not only is data, and the knowledge it provides, a major business asset. Organisations also have a legal responsibility to ensure its safeguarding. But the level of protection we need to give any piece of information is determined by the risk posed by its loss or unauthorised disclosure. Just like all assets, information must be protected in a way that is commensurate to its value. This can be done by the use of protective marking.
An organisation should ensure that it applies an acceptable level of risk mitigation in situations where the risks are deemed to be high. But solutions should be no more robust or complicated than is necessary to address them. For this reason, it is essential to take a risk-based approach so that mitigation efforts are applied in proportion to the perceived level of risk.
The first step is to understand the risks fully. They can manifest themselves in various ways. For example, there are risks associated with project failures as well as the threats posed by deliberate criminal attacks or unpredictable events. Consideration must therefore be given to a strategy to manage these threats and understand the risk techniques required to address them. It is all about preparation which puts an organisation in a position to address these situations and minimise any impact.
SRM can assist by providing a mechanism to determine an organisation’s Information Security status level. This is done by developing an organisation’s risk profile and detailing what mitigation measures are already in place. Precise requirements are identified during a risk assessment workshop. From there a strategic assessment is produced which identifies what is needed to develop a corrective action plan.
Thanks, we've received your details.
We'll be in touch shortly to discuss your requirements. In the meantime, please download your exclusive free copy of SRM's Guide to Cyber Essentials below.
Download your free copy