There are many types of security risk assessments, including:
- Facility physical vulnerability
- Information systems vunerability
- Physical Security for IT
- Insider threat
- Workplace violence threat
- Proprietary information risk
- Board level risk concerns
- Critical process vulnerabilities
- Brand risk
- Reputation risk
- Terror and civil unrest related risks
- Micro-Assessments for Decision & Planning Support
Looking for Assessment Assistance? Jump to “How RBCS Can Help”
There are also many types of risk assessment methodologies, some focused on specific types of risk and some focused on specific business sectors, such as critical infrastructure protection. Our network of consultants includes specialists who are trained and experienced in all of the important assessment methodologies.
Homeland Security Methodologies
There are formal methodologies that are typically applied to critical infrastructure, public safety, and homeland security. These approaches follow detailed methods in a very systematic process, and are typically applied when consequences of a risk event are high, and/or the cost of risk mitigation is very significant.
For example, Sandia National Laboratories has developed very specific risk assessment methodologies for critical infrastructure facilities. Their names begin with “RAM” for Risk Assessment Methodology, and include:
- RAM-D (Dams)
- RAM-T (Electrical Utility Transmission Systems)
- RAM-W (Municipal water systems)
- RAM-C (Communities)
- RAM-CF (Chemical facilities)
- RAM-CI (Critical Infrastructures)
- RAM-P (Prisons)
- RAM-E (Pipelines, Electric Power Generation)
Many industry associations have produced security guidelines. The American Chemistry Council’s Responsible Care initiative developed the Security Code of Management Practices. The American Petroleum Institute has published its Security Guidelines for the Petroleum Industry.
Information Systems Security
Some assessment methodologies include information protection, and some are focused primarily on information systems. For example, the free OCTAVE Allegro from Carnegie-Mellon University is an Information Security Risk assessment process that focuses on Operational Resilience for IT functions and services.
OCTAVE stands for Operationally Critical Threat and Vulnerability Evaluation, and Allegro is a another musical term: allegro: (al-leg-ro) adv. In a quick and lively tempo.
Allegro is a streamlined version of the original OCTAVE methodology. OCTAVE was designed for self-directed application by personnel with little to no previous experience in risk assessments. The downloadable Allegro materials contain all of the completed work product from an actual assessment.
RBCS can help you identify an appropriate assessment methodology, and determine a suitable scope and fitting level of resources.
Just as selecting the right type of risk assessment is important, so is the scope for the assessment. Too broad a scope and the assessment can be an overwhelming task. Too small a scope and you don’t accomplish what you need to.
How RBCS Can Help
There are four basic approaches to performing an assessment. The first two have a high degree of client participation, which results in a strong risk-awareness among the security risk stakeholders. The four approaches are:
- Self-directed Assessment: The application of a well-documented methodology using only internal resources, sometimes with training or light outside guidance for preparation
- Collaborative Assessment: The application of a well-defined methodology a combination of internal and external resources
- SWAT Team Assessment: The application of an approved methodology performed quickly and thoroughly by external resources
- Red Team Assessment: An independent group (the red team) seeks to challenge an organization in order to improve effectiveness, utilizing highly experienced personnel with a specific scope and objectives
Small and Informal to Large and Formal
Assessments can always be performed for any organization and situation, whether available resources are abundant or minimal. At the small end of the spectrum is a “walk-around” assessment, an informal action with a specifically narrow focus that is performed using casual but intentional observation and discussion. It takes very little time per week, and is performed over a period of months and often adopted as an ongoing element of the security program. At the large end of the spectrum is an internally publicized formal assessment with team members dedicated full time from start to finish, taking a few weeks or a couple of months from start to finish, depending upon the scope of the assessment.
RBCS has performed and participated in successful assessments of all types.
All effective assessments provide actionable insight. When you need to know more—assess!