By working collaboratively with a security and privacy team, management should not only gain an understanding of the risks, but also take ownership of the risk management process. Only then can the existing stakeholders gain an understanding of how to best manage those risks.

Five steps to assessing your security risks:

1. Identify your critical resources. The first step is to identify the information technology resources that support critical business processes. In other words, which strategic applications must be working optimally to ensure that your company is operating normally? You will want to focus on protecting these information technology resources. Next, you must evaluate the potential threats and vulnerabilities of these assets in terms of availability, integrity and confidentiality.
2. Evaluate the existing controls. This step consists of identifying the security measures that are already in place to protect critical information systems. You must perform some type of inventory of these measures and assess how effective they are against the threats. In so doing, you will be able to identify the vulnerabilities.
3. Assess threats and risks to strategic resources. Once you have identified the information technology resources and existing security measures, you can then perform the risk assessment and analysis. There are several tools you can use, including knowledge databases, workshops with technology and business process specialists, questionnaires, or your knowledge of existing risks. This is a crucial step, as it allows you to match the threats that management is aware of with the newest information technology threats that are emerging.
4. Perform a cost/benefit analysis. To find the solutions that best meet your needs, you will have to devise a security program, or plan, to enhance existing security measures or implement new ones. Such a program will be based on the identified risks and your company’s security priorities.
   “Once managers have a good understanding of the possible threats, they may decide to adopt measures to protect their critical systems, transfer the risk (through insurance, for example), simply accept the risk, or choose a combination of these three options,” explains Martine Gagné of Deloitte’s Security & Privacy Services group in Montréal. “What’s important is that each of these measures must be evaluated based on its impact on the company’s critical business processes.”
5. Implement risk management measures and procedures. In addition to implementing adequate security solutions, it is also important to develop a genuine culture of security and risk awareness, so that risk analysis becomes embedded in your company’s operations. The environment in which you operate is based on your company’s growth and technology changes. Therefore, you must periodically reassess external and internal risks, as well as existing security systems. As security threats continue to evolve, so must your protective measures.

The success of your risk analysis is largely dependent on: the scope of the project, the participants and the risk management methods you select. There are several risk analysis tools available. Some, like the Méhari process, provide a procedure, knowledge databases, and an assessment tool based on its own framework and aligned with the ISO 17799 Code of Practice for Information Security Management. Other methods, like Sprint or Octave, focus mostly on procedure. The team performing the risk analysis should determine which assessment tools and framework to use.

In today’s ever-changing environment, assessing information security risks is an exercise that requires diplomacy, vision and a thorough knowledge of the security threats in any given sector. As Adel Melek, leader of the Security & Privacy Services group, observes, protecting your information systems is essential to the long-term security of your business because security threats are continually evolving.