Preparation

A good end result of a risk analysis largely depends on good preparation. This is certainly the case if the participants of the analysis session are insufficiently experienced in performing a risk analysis. The risk analysis process supervisor carries out at least the following steps during the preparation.

• If the risk analysis process supervisor is not the CISO, check with the CISO whether there are requirements for the methodology to be used for a risk analysis.
• Ask the information owner for the purpose of processing information within the chosen scope. This determines the direction of thought for determining the relevant risks and the severity of an incident with information.
• Ask the information management department for an overview of the information systems that fall within the scope of the risk analysis. A good overview shows the information flows between the information systems and who performs operations on which information and for what reason. This helps in finding out how and where things can go wrong and therefore pose a risk. If such an overview is not available, create one yourself. You can use iAtlas.
• Request the BIV classification per information (system). This classification is preferably available from an information management department. If this is not the case, it will have to be determined in consultation with the information owner. The classification partly determines the level of impact of a risk.
• Determine the list of actors who can breach the reliability (BIV) of information. In addition to malicious actors, also consider non-malicious actors. These are people who accidentally cause an incident due to carelessness, incompetence or ignorance. For the malicious actors, map out what typical and plausible attack methods are and how good an actor is at carrying out such an attack.
• Determine to what technical detail of the information processing the risk analysis will be carried out, to prevent the more technically and less technically skilled attendees from losing each other during the analysis session. Communicate this well to the more technically skilled attendees.
• Provide a list of threats, for inspiration during the analysis session. It gives the attendees of the analysis session ideas about how threats can occur. Supplement this list with new threats that have been identified during the analysis session.
• Determine who will be present at the analysis session. These are people with sufficient (technical) knowledge of the systems involved and the existing security measures and people with knowledge of the importance of those systems and the information stored in them for the organization. Preferably, the information owner is also present.
• Give those present at the analysis session a clear explanation of what will happen, what the risk analysis exactly entails, what is expected of them and what the risk analysis should yield.