Maintaining data confidentiality, integrity and availability
A risk assessment is the process of identifying threats and vulnerabilities that can affect an organisation’s information assets, and the steps that can be taken to assure the confidentiality, availability and integrity (CIA) of that data. Analysing the CIA of each information asset is a critical part of the risk assessment.
When too much security is applied to an information asset, the confidentiality, availability or integrity of that data might be compromised.
When conducting a risk assessment, the company can identify how severe the risks are and identify a range of controls that can be applied to reduce those risks. In the case of BYOD, for instance, the controls could include educating employees on how to protect their devices, ensuring all devices are properly configured in line with security policies, implementing a BYOD policy, applying encryption solutions and software patching, to name a few.
Although it could pose significant security risks, a properly managed BYOD programme can reduce costs (by shifting expenses on to the user) and increase productivity (because of a more mobile workforce) without having an adverse effect on security.
Too much security isn’t a good thing
Fortunately, Ian discovered that too much security isn’t a good thing.
It is incumbent on the information security professional to consider and prioritise the business requirements. The risk assessment and risk management process shouldn’t restrict the business from achieving its objectives.
The risk assessment is fundamental to ensuring that necessary security precautions are adopted, while creating an enabling environment for the business to continue operating at maximum capacity.