Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everyone, welcome back to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you back with us as we continue our discussion on the FTC Safeguards Rule Checklist for Compliance Series, where we go over all of the different checklist items, all of the different requirements you need to be FTC safeguards rule compliant.
Last week, we talked about how to designate a qualified individual, so if you missed that, jump back in, listen to that. And this week, we'll be diving into utilizing a risk based approach to set up your information security program. We're going to dive into what exactly that means, how to do it, how to set up your evaluation, how to set up your assessments and treatments, so you have a risk approach that appropriately supports your information security program. There were so many little tongue twisters there. I can't believe I got through that, but amazingly, I did. Before we jump into everything, please click that like, click that subscribe. If you like what you're hearing, definitely follow us and if there's anything that you want to dive into that you're having trouble with in your security or compliance program, please reach out to us, let us know and we'd love to be able to have some topics that help you directly.
So diving into it today, utilizing a risk based approach to set up your information security program. So I guess first, what exactly what does that mean? What does that even really look like? And really, all that means is that all of the controls that you implement, be those technical, physical, administrative, all of those controls, your entire information security program is really set up based on your risk assessment approach, which is a little weird. It's almost like a chicken or the egg, which comes first, they kind of come together. But in any case, any of the decisions that you make, any of the processes you have in place, the policies, the controls, anything that you're doing in the organization related to security and compliance to that information security program, you should be able to justify it against a risk analysis and a risk decision. And that's a little bit, that can be a little bit more complicated, we'll definitely dive into that. But really, all it means is that all of your decisions, everything you can do, you can back it up with a valid reason and it should be based on your risk assessment process.
We definitely have a lot of other podcasts, a lot of other resources on our website that talk about how to do a risk program, all of the different ins and outs of risk management, risk assessment processes. We're going to dive into a little bit of it today. But a lot of resources there.
So definitely, if you're completely in the dark with it, there are resources and light at the end of the tunnel for making that a little easier for you. So as far as risk-based, what we want to make sure that we're addressing is that all of our risk analysis is basically tied to addressing that CIA triad. Or if you've listened to some of the other podcasts where we've talked about it, the CIAPS that we look at.
So that's really assessing risk to make sure you're addressing confidentiality, integrity, availability, privacy, and safety concerns, as well as what we also look at, mission, objectives, and obligations. That's more on the business side, but really that everything you're doing to identify, assess, and treat risk are focused on those areas of the business. And as far as FTC safeguards rule is, cares, HAHA it's the CIA triad. As far as real business operational ability, being able to keep things running, to be able to see things before they happen, or to properly position the business, you really want to look at that CIAPS, confidentiality, integrity, availability, privacy, and safety, and also consider mission, objectives, and obligations to the business. So moving on to the next part, evaluation and identification.
So your risk process really needs to have ways for you to identify risk, evaluate them, ways to assess those risks, and ways to treat and make decisions based on those. So here in the identification and evaluation, we're really going to look at internal and external risk. Now, you can do this in thousands of different ways.
You can brainstorm. You can mind map. You can download different risk charts online.
You could utilize even our information security program, which has a lot of risk identified. However you do it, you want to identify all of the internal threats and vulnerabilities to your organization and all of the external, and typically, the way that we look at that is internal, or typically, people, processes, and systems, or people, products, and systems. And external comes down to the PESTLE analysis, so political, economic, social, technological, legal, and environmental. Looking at each of those helps you to identify what could happen in any of those categories that could make things go sideways for the business, that could make it to where we're not meeting our revenue goals, or our commitments, or our obligations. That's really it. And however you identify those, again, brainstorming, Ouija boards, whatever, that's all a risk program is really doing. Now, the next step, once we've identified all of those, is assessing.
And in our assessment, in our risk evaluation, we want to make sure that we're doing that in a structured manner, so that way we have repeatable outcomes, that we can actually perform the risk assessment this year, we can perform it next year, and we're comparing apples to apples. We're not just doing things based on our current feeling. It also makes sure that we can measure our risk over years or really whatever amount of time you're looking at.
Typically, it's at least annually that you're performing a risk assessment, so that way you can see is our total risk exposure lowering, is it increasing, and helps give you an idea of how effective your information security program is. Really, what you're looking at is, typically, with your assessments, is an impact and then also a likelihood. So the impact is, if this were to happen, how much would it hurt? And the likelihood is, how likely is it to happen?
Now, there's an infinite number of ways that you could do this.
Very common ones include like a three by three scoring, high, medium, and low, and then that gives you a total risk score, or a lot of times a five by five type of model that we use a lot, and then that way you could say we have maybe a middle-of-the-road impact. It's not going to put us out of business, but it's definitely going to cost us some money. And a likelihood, maybe middle-of-the-road, a three, that we expect this to happen maybe within the next one to three years, and we have a total risk score, say a nine, or whatever that calculation comes out to be, but that way you have a more quantifiable measurement of your risk. There's still a lot of separation there between being a true quantifiable and quantifiable measurement. That's, man, that's a complete different discussion. But what this does, having that scoring structure, is be able to show here's how we do assess risk, here's how we grade them, and we do it the same way every time. Right, wrong, or indifferent, this is always how we're doing it. So if you look at one risk or we look at another, we're looking at it the same way.
Finally, once you have it scored, once you have it assessed, then you can make a treatment or a decision. Well, now we have this risk, we've identified it, we see how much of an impact it could have to our company, what are we going to do about it? And that typically comes down to, do we find some way to structure our business so we can avoid this risk? Do we look to mitigate it? Maybe putting in certain controls to where we have different security controls like MFA or stronger passwords or maybe locked doors, or do we look to transfer the risk, say, to an insurance company? And finally, do we just look to accept the risk?
Now, typically, whenever you have any type of risk, unless you can avoid it, which is the best way to handle any risk, if you can structure your business, structure your processes, your systems, whatever, to where that risk could never happen, it's completely avoided. I don't ride motorcycles right now because of how dangerous they are. That is not a risk that I have to worry about. It's completely avoided. If I did ride a motorcycle, however, I would definitely look to mitigate it, helmets, with driving courses, with not driving in the rain, not driving at night, all the different ways I could mitigate it, and then transfer some of that remaining risk to the insurance company with life insurance, auto insurance, things like that. And then finally, at the end, accept the residual risk of, God forbid, something happens, I accept that I could get hurt or, God forbid, in that analogy, actually die, but I accept that.
That's all the treatment is. And your risk process needs to be able to show that you're having the same treatment, you're treating each risk in the same way. We're not, say, avoiding motorcycles over here because that would be too dangerous, but over here we're juggling chainsaws.
That doesn't really seem to match up to our risk appetite, to the general way that we approach risk. And that's where you could have trouble, say, if you have an audit or review of your risk process, you want to make sure that it's fair and consistent. And that's all it really means to set up your information security program based on a risk based approach.
That you have a risk basis, that you have an identification method, an assessment structure, assessment and scoring, and that you have methods to treat and make decisions on those risks. And finally, make sure, like everything in your information security program, that it's fully documented.
That in a nutshell is, again, how to create a risk based approach to your information security program. That is following our checklist for compliance, which we have in the description of this podcast. We have it on our website. And we'll also have some links to some other relevant blog articles and resources that can really help you on your risk based structuring. Of course, if you have any questions, please don't hesitate to reach out to us. Always happy to jump into it with you. But that is all the time that we have for today.
So thank you for listening, and until next time.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant. And we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.
