Performing a remote working security assessment is important. Remember the goal is to effectively identify, quantify and remediate prioritised risks. The methodology of formal risk management is important. However, Ward Solutions experience of helping organisations successfully manage risk for over 20 years is that there are a number of other “softer” skills and considerations that are key to your risk assessment success.
So from Ward Solution experience in a wide variety of sectors these are our top 5 tips to performing an effective remote working risk assessment:
- Identify the correct scope of your remote working processes and infrastructure – In order to assess the risks to your organisation from remote working, you need to correctly identify the key information assets, infrastructure and processes that you wish to assess. Your scope needs to balance all relevant processes and infrastructure of your remote working services. Be careful not to open the scope too wide encompassing vaguely relevant or irrelevant assets or process. A bloated scope of risk assessment increases time and cost of the engagement and making the output less relevant with a reduced likelihood of success.
- Ensure stakeholder buy-in and participation. Work hard to identify your key stakeholders in the risk assessment. Key stakeholders are usually a select sub-group of senior management as well as heavily reliant middle management and function owners. Your most important stakeholder may be a representative group of impacted or highly relevant grass root end users. Their engagement in terms of input to the risk assessment and commitment to the output and recommendations from the risk assessment typically make or break the project. As with scope, focus on quality and relevance of stakeholders rather than quantity.
- Conduct the risk assessment systemically and objectively – ensure you use experienced risk assessment professionals and follow a recognised risk assessment methodology such as NIST 800-30 to conduct your risk assessment. Ensure that you surface, and quantify appropriately all relevant threats and risks.
- Be transparent and upfront whilst positioning and managing your findings – Ignore the temptation to downplay risks of vested, difficult or personal interests. Be transparent and honest with the organisation. Otherwise the engagement is bogus, the organisation will not gain value and your integrity is questioned. If you are worried about vested or difficult interests being exposed, then deal with this at the buy-in stage. Stress the importance of a “warts and all” approach. Outline upfront to stakeholders that most organisations typically will have the type and nature of issues likely to be uncovered. Help the organisation recognise how it got here – e.g. perhaps an accelerated adoption of large scale remote access and cloud adoption in response to COVID19. Consider socialising and positioning your findings with impacted stakeholders in advance so they are not blindsided. Allow them to have the time to reflect and position their response, before the final report of findings, public presentations etc. Focus on the benefits of unearthing the issues and having the opportunity to remediate rather than ignoring or hiding the issue and then being forced to respond to incidents as they occur.
- Build and focus on a SMART remediation plan. Remember the goal of the risk assessment is to allow the organisation to manage the risks you have identified and quantified. Too many risk assessments focus on the risks and issues – not the remediation. By focusing on the issues only you can either paralyse the organisation with fear, uncertainty or alienate stakeholder from future or ongoing risk management exercises. The goal is for organisations to agree the risk register and buy into the prioritised remediation plan. Your remediation plan need to be SMART:
- Specific – a very specific plan of what, where, when, how and whom
- Measurable – it should be possible to very clearly determine if the element of the plan has been implemented and if and how successfully
- Achievable – there is no point in having a plan if it cannot be implemented economically, technically or organisationally
- Relevant – the plan must fit the organisations goals and ambitions and obviously should address the risks identified in a prioritised way.
- Timely – the plan should be capable of embracing and delivering both the quick wins and the longer term high priority complex remediation’s. It needs to be done in timelines that means that a higher priority risk are addressed without unnecessary exposure time to the organisation. It also needs to address program fatigue – the notion that protracted projects without definable progress and wins loses support and enthusiasm over time.