As a Security Analyst, your job is to identify business risks and raise the alarm to higher along with your recommendation of a solution. Some times you get approval for immediate mitigation action, other times for whatever reason the recommendation will be overruled.
Risk = Threat x Vulnerability
Lets make this a scenario and say the risk is a major gap in data protection that can only be fixed by purchasing solution X. Being an off budget item of significant cost the decision is passed down to add solution X to next years budget process which is a solid 8 months out yet. Tack on the procurement process and project implementation time of solution X and this data protection gap is going to exist for at least the next year.
Did you get that decision from management documented in writing, or was it just given verbally during a check-in meeting?
What happens when that specific security gap gets exploited in 7 months and you have to deal with the fall out of a massive data breach?
What do you have to show you recommended the data protection gap be corrected and that management knowingly accepted the risk to the business?
Are you the fall guy for managements call and your lack of documentation?
ENTER THE RISK ACCEPTANCE LOG
A Risk Acceptance Log is a living document to raise awareness of identified risk in your environment. The Log should be reviewed in detail with management, depending on the organization this will more than likely be the C level Information Resources representative. Once management fully understands the risk and the recommendations for mitigations or a fix, they sign off with official acceptance of the risk.
They sign on the dotted line and essentially state “As CIO of YourOrg I acknowledge and accept the risk of running Windows XP in our Organization.” — That is a very powerful statement.
Categories recommended to include in the Risk Acceptance Log, but not limited to are;
Risk Title :
Risk Details :
Decision Date :
Decision Maker :
Status : (Approved, Pending, Needs further action)
Likelihood of Occurrence : (High, Medium, Low)
Impact to Business : (High, Medium, Low)
Qualitative Risk Score :
Risk Score explanation :
Recommended Fix/Remediation :
Notes from Review :
A qualitative risk analysis is great for this scenario, its subjective, quick and gets the point across of the risk associated to the business. I do like to add a section for “Risk Score Explanation” in the Risk Log since scoring is very subjective the end result depends highly on your environment and what sort of defense in depth controls you have deployed between the vulnerability and the threat.
The beauty of a Risk Acceptance Log is that its not just for use by the Security team for Security business risks. Does your organization have old hardware that’s out of support? Maybe running a generator for backup power that’s past its recommended lifespan? Both are examples of risk, not specifically tied to Security but are undoubtedly risks to business continuity or productivity in the event of an outage. Add them to the log, the more risk awareness we can raise the more change we can push and in the end the business benefits.
There are two major benefits of a Risk Acceptance Log that immediately come to mind, coverage for yourself and getting eyes on risks.
CYOA, we all know what it means but when stuff hits the fan and we are in a breach situation for something you were aware of and are pretty sure you had brought up as a concern previously. A breach is no time to point fingers, however as a Security professional having piece of mind in knowing that you had identified a risk, brought attention to it and management signed off on accepting the risk instead of spending budget or time to fix it, that piece of mind can be priceless.
You will also be amazed at how tying a name to a decision and making management acknowledge the risk and officially sign off on it will help push security initiatives to a higher priority instead of just getting lost in the Cyber Sauce. Not only that but its a great tool to track risk over time, review risks at budget time and demonstrate accomplishments and successes over time.
So you might say, okay great, we’re documenting all of our security weaknesses, what happens when a malicious attacker gains access to our network and comes across the Risk Acceptance Log? Now they know where all our vulnerabilities are. That is a valid argument but with proper data protection the Log itself should be fairly secure. Access to the Log should be limited to only the few that need to know, no more. If an attacker has made it on your network and has spent enough time tooling around to run across your Risk Acceptance Log you probably have way bigger issues already. The immediate benefits of having a Risk Log in my professional opinion far outweigh the business risk it may inherently contain itself.
A Risk Acceptance Log has instant benefit to you as a Security Professional and your Organization. It should be a tool in your arsenal that is utilized and reviewed often!
WeisterCreek InfoSec 4/10/2021