carloscastilla - Fotolia


5 steps to determine residual risk during the assessment process

Even the best security controls have data management gaps that create risk. Here are steps to identify and offset residual risk during an assessment.

Governance, risk and compliance-related residual risks are risk factors left over after an organization applies security controls to ensure compliance with laws and regulations. It's important to remember that these residual risks might be acceptable with regard to one regulation but not others.

Residual risks might eventually become more tolerable due to changes in compliance data requirements and/or risk management methodologies. For example, security controls to offset risk may become more cost-effective and/or technologically advanced as risk assessments evolve, thereby lowering the threat level.

Organizations can best determine residual risks after undertaking the following risk mitigation efforts:

  • identifying governance, risk and compliance (GRC) assets, including software, hardware and data sensitivity level;
  • identifying vulnerabilities and threats;
  • completing the initial risk assessment process;
  • identifying current security controls used to offset risk;
  • determining whether those risk controls are preventative, detective, corrective, recovery-focused, directive or deterrent; and
  • assessing each security control's strengths and weaknesses.

To complete the risk assessment, organizations should undertake mitigation steps and report the results -- including the status of any residual risk instance -- to corporate leadership and then review residual risks and update them accordingly.

Here are five steps to handle residual risks as part of the risk assessment process.

Step 1. Identify residual risks

First, it's important to identify initial risks, whether you have rated them as weak, moderate or high. Once that's completed, you can implement security controls.

You should deem residual risks high if security controls for the initial risks are weak; moderate if security controls for high initial risks are adequate or if security controls for the low initial risks are weak; and low if security controls for the high, medium or low initial risks are strong or if security controls for the medium- or low-rated initial risks are adequate.

Step 2. Identify relevant GRC requirements

You should determine your organization's GRC requirements by checking the business's relevant regulations. Some examples of regulatory requirements include those under the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act and HIPAA. If relevant, privacy compliance regulations, such as the EU's GDPR and the California Consumer Privacy Act, should be considered.

Each of these regulations -- and many others -- has different data retention requirements for different document types. Organizations must determine what specific data requirements apply to them.

Step 3. Identify security controls

Your next step is to identify applied security controls and any resulting residual risk. These risk controls include the following:

  • Preventative security controls, which are designed to avoid information disclosures or alteration of GRC-sensitive information. Examples of preventative security controls include multimodal biometric authentication, clustered servers, encryption, nested firewalls to block unauthorized networks and policies to prohibit unauthorized network connections.
  • Detective security controls, which identify unauthorized or undesired activities after an event has occurredExamples include intrusion detection systems, automated log monitoring, system audits, virus scanners and file integrity checkers.
  • Corrective security controls, which respond to and recover from an incident, as well as prevent future occurrences. They also limit further damage from an attack. Corrective security controls include incident response systems, procedures to remove a virus from the infected system and updated firewall rules to block an attacking IP address.
  • Recovery-focused security controls, which return the system to production mode after an incident.
  • Directive security controls, which outline actions that should be taken to protect sensitive information. Examples include policies, procedures and guidelines.
  • Deterrent security controls, which discourage security violations. One example is a policy stating that access to servers is monitored in an attempt to discourage unauthorized access.

Step 4. Determine how to handle unacceptable residual risks

Once you have reviewed security controls and determined your residual risks, offset these threats by considering the following options:

  • replacing security controls that have become outdated or are no longer available;
  • transferring residual risk management to other parties, including cyberinsurance agencies;
  • checking calculations to determine the likelihood that the initial risks will occur; and
  • updating an organization's risk assessment to reflect changes if upgrades to security controls, hardware and software are major due to residual risk.

Step 5. Apply any changes to residual risk status

Determine risk tolerance by gathering a list of residual risks that are unacceptable after you have applied security controls to the initial risks. For each of these residual risks, periodically check for any changes to the applied security controls.

Then, compare alternative, cheaper security controls from current and new vendors. Determine the ROI of each, and if possible, apply the security control changes with the highest ROI.

Following these five steps can help you determine whether you should accept or reject residual risk. Remember to keep your eyes open: Cost-effective security controls that are currently unavailable may be on the market during your next round of risk assessments.

Next Steps

 Risk assessment matrix: Free template and usage guide

Dig Deeper on Compliance

Enterprise Desktop
Cloud Computing