How would you go about creating an information risk profile for a small start-up business? Describe what the risk profile for the business would contain? How should the business use the risk profile?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Kelly Sharadin says
To create an information risk profile for a small startup, one would first interview the business to understand its services and operations. It would also be essential to determine what industry the company is in, such as finance, technology, or advertising. This information can inform what data types the company handles as well as its regulations and compliance requirements.
The next step in developing a risk profile would be to inventory the company’s technology and policies. Using this information, we can build a risk profile around the organization’s attack surface by understanding what vulnerabilities exist within their technology stack that malicious attackers could exploit, such as custom APIs or on-premises infrastructure.
After listing known vulnerabilities, we would assess the likelihood of an attacker targeting the organization. By understanding what types of attacks are typical for that industry, what assets exist, and the technology used, we can prioritize security controls and configurations.
This early risk profile lays the groundwork for establishing a baseline that the business can build from and refer to as new technology, processes, and people join the company as it grows in maturity. This risk profile may also assist the company down the line for becoming acquired by another organization, as this will produce a favorable due diligence assessment regarding the startup’s value on security and ability to reduce and mitigate risk.
Matthew Bryan says
You bring up a great point about acquisitions and due diligence. In some ways, the due diligence process is a risk assessment of sorts. Strong information security practices are a competitive necessity in strictly regulated industries and must clearly be outlined in the diligence process. In less regulated sectors, such practices can add significant value to the acquired company and demonstrate organizational maturity. The use of common frameworks, e.g. NIST, can help both parties to express and understand each other’s security posture. This saves time and reduces ambiguity during the diligence process.
Dan Xu says
Your point of view is novel and comprehensive, I like it. Because this early risk profile lays the foundation for establishing a baseline, companies have the autonomy to manage risk within their own preferences and tolerances. Therefore, the level of risk avoidance of enterprises will gradually increase. The timely and effective handling of the vulnerabilities that occur and the enhancement of the ability to avoid risks are important reasons for creating an information risk profile for a small startup.
Andrew Nguyen says
To create an information risk profile for a small start-up business, I would first list/evaluate the business policies regarding information security. What existing policies are put in place? Are controls put in place for limiting confidentiality, integrity, and availability? Are employees able to access data from outside of the workplace (on their phone, or on their personal machines)? Do employees currently undergo information security training/classes, and what physical/technical/administrative controls already exist in the business?
This gives an idea of what vulnerabilities the business may be exposed to, and can be used as the basis for creating the risk profile.
The risk profile would contain a list of (identified) risks that the organization is currently exposed to. I would also make note of the organizations ‘position’ or ‘attitude’ towards that risk: Do they plan on ignoring the risk, are they willing to accept the risk, or do they plan on taking actions towards mitigating that risk?
The business should use the risk profile as a guide for information security, ideally on a consistent basis. For example, they can every six months evaluate their risk profile: Are there any identified risks that are not at an acceptable level for the organization? Have they made any progress since the last evaluation? Are there any new threats that they may be vulnerable to? What investments have the business made, and have they reduced or increased the level of risk? These are just some questions that an organization may ask themselves as they continue to refine their risk profile.
Kelly Sharadin says
Hi Andrew,
Excellent comment regarding understanding the business’s attitude toward risk. This is an important question to ask upfront to quickly determine scope and resources when developing a risk profile. Although there are many templates and checklists avaliable each risk profile needs to be individually tailored to that organization to be successful. Without taking the business’s attitude for risk into account the risk profile may not adequately represent the business’s goals. This is the challenge of information security as it cannot ultimately be adverse to business operations. Great post Andrew!
Kelly
Jason Burwell says
Hello Andrew,
Very good point in going over the existing business polices, that is something I actually forgot and is very important to setting up the risk profile for the business
Joshua Moses says
Andrew, once again you are being very insightful on the things we should be considering as Information Security Professionals. Although it is mentioned variously throughout the materials we have instructed to read, I like how you highlight them in your answers. For instance, considering whether employees are able to access data from outside of the workplace (on their phone, or on their personal machines) is essential! If this is the case it makes our jobs of securing company data (which is an important asset) even harder.
Victoria Zak says
Andrew,
You made very important points in your discussion post. I really enjoyed that you put questions regarding to the business policies. It made me understand more of what questions you would ask.
It is a great idea if employees received training related to vulnerabilities. This would identify a better idea to employees so that if they see the business getting exposed, they can identify it right away.
kofi bonsu says
Creating information risk profile for small business begin with identifying the risk factors that small business owner may face. And no business, no matter its size or industry is devoid of risks
In this regard, organizations identify and evaluate risks to the confidentiality, integrity and availability of their information assets. The process can be categorized into risk assessment and risk treatment that would enable the organization to fashion out a suitable risk profile, which in turn would identify activities with aim to develop an understanding of information security risks to system, people, assets, and data. It would help to understand the business context, current business needs and its associated risks to enable organization to determine threats and prioritize their risks effort.
Furthermore, creating risk profile would essentially help organization to implement appropriate safeguards and security controls to their most critical assets against cyber threat. And detect and response would be part of risk profile indicator to quickly spot events that could pose risks to data security and therefore take action against detected threat incident immediately.
Ornella Rhyne says
Hi Kofi,
You are right that small or large companies require time to analyze their assets and create a risk profile. Most of the time we believe that larger companies are time consuming while small startup need to be investigated really carefully. If you were to create a risk profile for a company, what steps would you be taking? I know you explained to us what it needs to create a risk profile but you did not tell us what you would do? What sector of activities will you be focusing on?
Mohammed Syed says
IRP is a key element for new businesses. To create and maintain an information risk profile is mandatory for new and upcoming businesses. Information risk is a business risk due to the involvement of IT in ownership, business operation, and IT enterprises. Small start-up businesses need to analyze their enterprise risk such as strategic risk, environmental risk, market risk, credit risk, operational risk, or compliance risk etc. To create a profile to analyze the business from top to bottom, and end to end. This helps them have a closer look at business services and processes to check cleanly where the value is generated and where the risk is for all are the major factors of creating the risk profile for a small business.
IRP helps businesses understand the upcoming risk or challenges for the business. It generates an idea on how the businesses can face critical threats, and still continue to run their business processes and organizational operations properly. Risk profile includes the risk level and categories of impact on a business. It helps to identify information risk to mitigate threats and overcome various risk impacts on organization business, operations, consumer trust as well as maintain the organization’s brand reputation.
Businesses use a risk profile to be stable in the market, and to run the business operations in the proper way and still maintain brand reputation. The risk profile gives brief details of what the possibility of an impact can be. It helps show how to troubleshoot, and overcome obstacles in business. It also helps business to expect unexpected losses, and challenges. It is also helpful to the business in financial management and in maintaining consumer trust. Businesses use risk profiles to face and mitigate challenges of the business
Matthew Bryan says
I wanted to underscore your point about brand reputation. This is critically important for start-ups that are trying to carve out market share. Unlike established companies, start-ups are less resilient to reputational damage. This is why sound information security practices must be prioritized for start-ups. Failure to do so can jeopardize the success of the company.
Madalyn Stiverson says
A small business should do research into what risks commonly plague its industry and revenue band. It should consult all senior and executive leaders regarding what risks (both low frequency/magnitude and high frequency/magnitude) could potentially impact the organization or business function.
After compiling these analyses from both outside and internal research, it should consult with an expert. These experts generate and maintain risk profiles as a full-time job. If they are able to find an expert that specializes in their industry or revenue band, that will allow for a more tailored risk profile generation.
A risk profile for a small business would have a much lower level of acceptable risk than a larger business. It would not be able to fund certain risks that large organizations define as acceptable. Because small businesses have limited financial capacity to fund these risks, it should consider the best processes for mitigating against those risks. It should weigh the cost of mitigating controls versus the potential impact and frequency of a given risk. The small business should also continually update and ascertain accuracy of its risk profile.
Wilmer Monsalve says
Hi Madalyn, I had some trouble understanding what you meant in your last paragraph. Do you mean since smaller businesses don’t have as much funds as a larger business would, that they would have a higher level of acceptable risk. Due to the fact that they can’t fund it so they have to accept the risk but be very mindful of it.
Alexander William Knoll says
Hey Madalyn,
You make several good points. I didn’t really think about it when I made my post, but it is definitely true that a small-start up will not have the same resources or financial means as a large corporation, so there is a much higher level of risk that they probably would have to accept instead of being able to mitigate.
-Alex
Michael Galdo says
How would you go about creating an information risk profile for a small start-up business? Describe what the risk profile for the business would contain? How should the business use the risk profile?
To create an information risk profile for a small business, you must start with identifying the risks that the business could face. A meeting should be held with all executives and risk management decision makers discussing what risks would potentially impact the business the most. This risk profile would contain a breakdown of any risks that seem to be a threat to the company. The breakdown would state what exactly the risk is, why it’s important to the business, and what actions would the business take if they were to come in contact with this risk. The business should use the risk profile as a guide to follow if they ever come across the risks contained in the profile. As the company grows you can make edits to the profile if new risks arise or if there’s a higher amount of acceptable risk you’re now willing to take.
Ryan Trapp says
To create an information risk profile for a small start-up business, you would first have to survey what industry the business is in and what products/services are offered. Starting with industry specific risks, we can work our way down to the current business and identify the risks along the way. Once all the known risks are identified and assessed, then the business can work towards implementing strategies to address these risks. A small start-up would see a different set of risks then a large business. For example, a start-up may have one or two network administrators for implementing all IT policies whereas a large company would have teams with potentially specific duties.
Even though it is a small business they should use this risk profile the same way as any business. Once the threats are established the company can work on policies and procedures to address the specific risks they are facing. The company can determine where they are weak and make the decision on what controls they need to implement to address these risks (physical, technical, or administrative). Once the policies have been updated and the proper safeguards are in place the company should continue to review the safeguards on a reoccurring schedule and make adjustments as needed.
Kelly Sharadin says
Hi Ryan,
You make an important point about what IT personnel a small business might have. Often my clients do not have any internal IT team and they outsource these responsibilites to a MSP. To that end, I would include the MSP as part of the risk profile. What processses and technology does the MSP use, how does the MSP mitigate risk? Vendor and other 3rd party support are important components to include in the information risk profile. Thanks for sharing your thoughts!
Kelly
Antonio Cozza says
I agree with your point, Kelly; An entity is only as secure as its weakest link. Regarding third party risk management, an organization must evaluate or audit third party business partners or have a review performed of the third party’s audit as it could lead to vulnerabilities affecting the information security of the primary organization. This is evident in relatively recent news with the pipeline hack, as well as Target’s HVAC third party breach.
Ryan Trapp says
Hi Kelly,
Great point about MSPs being included in the profile. Having previously worked for an MSP I can say from experience they have complete access to the companies they service. Like Antonio mentioned, even with a bit of access like we saw with the HVAC company for Target and an information breach is possible. MSP will usually have have complete administrative access for their clients. The MSP should be considered a stakeholder and should be brought in on any information risk assessments that are performed.
Miray Bolukbasi says
The structure of the risk profile should demonstrate the company’s value and be easily applicable to organization. By being useful and beneficial to organization’s leaders and stakeholders, it should help to make effective decisions where it also creates strategic advantage.
For a start-up company, since everything is brand new, business processes and capabilities should be understood. Before going into risk assessment and evaluation it’s important to understand where the company stands in the industry, what are the external and internal key factors for its operations and overall view of company values. It’s really important that during this step, transparency takes place between the company employees and people who’s running the risk profile development.
Once, the research and intention to understand company’s feature, there are some objects should be contained for risk profile such as the associated data for capabilities and resources of company and its availability, identified threats and vulnerabilities, mitigation control options and implementation ideas. During the risk profiling, the risk capacity, risk tolerance and risk requirement should be addressed.
Hopefully, risk profile helps the start-up company to minimize the loss impact by identifying the risk as per company’s policies and capacity. It can create a balance between reward and risk, where it’s really critical for a company that is new and needs opportunities to grow.
Matthew Bryan says
“Before going into risk assessment and evaluation it’s important to understand where the company stands in the industry, what are the external and internal key factors for its operations and overall view of company values.”
This is well said. Understanding the company’s place in the industry provides the necessary context for risk evaluations. Smaller companies may be able to capitalize on their ability to assume more risk than larger companies. They may have less to lose should an adverse event happen.
Olayinka Lucas says
Hello Mathew,
I disagree that “Before going into risk assessment and evaluation, it’s important to understand where the company stands in the industry, what are the external and internal key factors for its operations and overall view of company values.”.
I would rather state that it is better to understand the goals and objectives of the company, where the company is actually going, and what it intends to achieve. Then, based on understanding its goals, a risk profile can be created to guide those goals in line with the current practice.
Andrew Nguyen says
Hey Miray,
I like your point about the structure of the risk profile demonstrating the company’s value. Risk profiles aren’t a one-size-fits-all: they should be tailored to the company depending on their business structure and policies (among other things). It would be easy to go down a checklist when creating the risk profile for a company; but it looks like a risk profile should be specific to the company’s goals and values.
Thanks for sharing your thoughts!
Andrew
Miray Bolukbasi says
Hello Andrew,
Thanks for your comment! I just wanted to say that lots of organizations try to have the same risk profile nowadays and like you said they think “one-size-fits-all” but it is a terrible approach. Thanks for bring it up!
Alexander William Knoll says
Hi Miray,
Very good point in your first sentence “The structure of the risk profile should demonstrate the company’s value and be easily applicable to organization”. It wouldn’t make sense to develop a risk profile if it does not align with the company’s goals and its structure, and you might have a hard time convincing its employees to cooperate if another method of development is used.
-Alex
Matthew Bryan says
As recommended by RISK IT Framework, this assessment would begin with the founders participating in small workshops that explore where value is created and the potential risks. These workshops will help to define the context of IT risk scenarios and help the founders to define priorities, e.g. sales optimization, customer satisfaction, cash flow, securing proprietary technology, etc.(Risk IT Framework, 2nd Edition, 2021). The output of these sessions would map where value is generated and needs protection, i.e. assets, threats, vulnerabilities, and impact (Risk IT Framework, 2nd Edition, 2021). This map would highlight circumstances that diminish value creation and introduce technology risk to the company. For example, if a healthcare start up experienced a breach of patient PII due to poorly secured servers, the resulting fines could be disastrous to the fledgling company.
Start-ups are smaller and often have less resources than larger, more mature companies. The profile should call out risks associated with resource constraints that are common at start-ups. For example, the CTO of the start-up may be the lead developer, site availability engineer, and product manager. Segmentation of responsibilities may not be possible given the size and technical abilities of the founding team. The risk profile would need to acknowledge the present state, i.e. lack of SDLC best practice, and provide a roadmap to reduce this risk in concert with future growth. The company may choose to prioritize hires in the SecDevOps field over other roles, or invest in additional training for other staff, to help reduce this risk over time. Along with other strategic documents, the risk profile should help the company to plan for effective growth while reducing technology risks.
Bryan Garrahan says
Matthew you make a great point that resource restraint considerations should be included in the risk profile. Along with the plan or roadmap to reduce a particular risk over time I believe this process should also include any mitigating controls that exist for that risk. It would probably be helpful to identify and document the most significant risks as a result of resource restraints which do not have existing mitigating controls in place. From there, the risks could be prioritized to ensure safeguards are put into place timely so the organization faces as little exposure as possible over time.
Michael Jordan says
If i was consulted to create an information risk profile for a small start-up business, I would first call a meeting with CIO, head of IT, and heads of other departments involved who I think would have knowledge about the risks that face the company (especially IT risks). I would then go into depth regarding each risk we outline and come to an agreement on the severity of the potential loss, probability the loss is going to occur, the best methods for reducing each type of risk, and how much money can/should be attributed to risk reduction practices regarding each specific risk.
The risk profile would contain all of the risks noted, their impact, probability, risk reduction methods, and monetary allocation. The risk profile would also contain terminology and visualizations that make it easier for business services and heads of other non-IT departments to understand, in the hope it will make them remember it better, be more willing to comply, and be more willing to educate and stress the importance of information risk and mitigation methods.
The business should use the risk profile to build off of every year (when they reevaluate their information risk mitigation policy), and when they create education plans to inform their employees of information risk and mitigation methods.
Alexander William Knoll says
Hey Michael,
You make some great points in your post. I think its worth noting that being a small startup, you may not have a CIO or head of IT to meet with, it might just be one guy doing everything IT related, but I suppose that really would depend on what stage the start-up is in. I really agree with the importance of non-IT needing to know the importance of risk and mitigation methods.
-Alex
Olayinka Lucas says
When creating the risk profile, my approach would be to identify and decide what criteria are available and essential to building a risk profile that matches the organization’s specific tolerance level. The under-listed is a step-by-step approach:
Start with your client’s understanding of inherent risk to their mission-critical activities through interviews, consulting, and research. Secondly, look beyond their risk definition to determine the possible impact severity and probability from already identified and similar risks to the organization. These create visibility to vulnerabilities and threat vectors for risk profile content.
Thirdly, present various risk scenarios to clarify the consequences of identified vulnerabilities. Once done, balance the organization’s risk tolerance with the risk capacity to sensitize the startup on acceptable, unacceptable, and tolerable risk practices. This is a step-by-step approach to risk profile creation.
The risk profile of a new startup should be used to evaluate the startup’s risk appetite for business improvement. In addition, it should serve as a means of identifying and mitigating potential risks and threats that may occur in the nearest future as the business grows and seeks better opportunities. This further helps to achieve process improvement and effectiveness.
Michael Jordan says
Olayinka,
I also said and agree with the fact that it would be critical to first talk with the client to get a better understanding of their overall business and to see what their most important information and processes are. This would help them and us by naturally bringing up ideas about certain threats or losses that would be catastrophic to their assets, business continuity, reputation, and more. They will know the nature of their business better than we will, but we will know the most common types of information technology risks and methods of loss, and combining these two areas of knowledge will help in establishing the best responses and allocations of funds.
-Mike
Bryan Garrahan says
The risk profile for a small startup would start with assessing the business process(es), or primary assets, to the organization as well as the limitations of those processes. By thoroughly reviewing the processes this can help an organization classify the nature or sensitivity of the data which flows through it. Furthermore, it would also be helpful to gain an understanding around legal or regulatory risks which could have an impact on business operations. We’d then be required to gain an understanding of what and who, or the secondary assets, are operating the business processes, including the people and systems/applications. I believe if a startup can adequately identify and document their primary and secondary assets this can help them obtain a complete list of vulnerabilities in which they need to protect themselves from. From here, the vulnerabilities can be categorized based on criticality and the startup can deploy controls on an as needed basis and periodically review them the risk assessment to ensure they are operating effectively.
Michael Galdo says
Hello Bryan,
You make great points regarding what would be included in the risk profile of a startup. It would definitely be a good idea to gain knowledge of legal risks that you can face as business as startups are new and may not have much experience dealing with these specific rules or guidelines. Breaking down your company’s assets is a great way to come to a conclusion on what are the company’s greatest vulnerabilities and how they can be mitigated or tackled if ever came across.
Ornella Rhyne says
I like how you mentioned the legal or regulatory risks and also gaining an understanding of the work environment. To create a profile, we need to know what resources, systems, applications and processes they have put in place that way we can have a knowledge of the vulnerability they could face and find a solution. Creating this risk profile would help bring the new procedures that can be implemented in the organization and the risks that can be identified as acceptable or not. Create new security measures including full data encryption to their data will be possible by creating this risk profile.
Wilmer Monsalve says
First I would consult with the owners of the small start up to review their business process model and evaluate how the business functions. Then I would search for potential risks and vulnerabilities within the company. After collecting all risks within the company I would ask for their budget to help prioritize the risks. Then I would create the risk profile for the company. Within the risk profile it will have documented all risks with specified attributes, expected frequency, monetary value, and potential impact. It will also include what needs to be prioritized, policies that would need to be put in place to help prevent risks, The business owners would then decide what needs to be implemented in their business and what they deem most important.
Lauren Deinhardt says
Wilmer, great job in highlighting risk register ideals such as finances, impact and frequency. Keep in mind that proper risk profiles should connect company capabilities in the mix as well, which can be done by creating a risk capability inventory. Overall great response!
Andrew Nguyen says
Hey Wilmer,
I like your thought process of including leaders of the business in the decision making of the risk profile. I agree that a risk profile should be used by the business to help them prioritize what risks they are vulnerable to, and which ones they want to ignore / accept / mitigate. Your last point highlights this really well.
Thanks for sharing your thoughts!
Andrew
Lauren Deinhardt says
In order to create and maintain an information risk profile for a start-up, it is important to connect each risk with business processes first. In this example, we can state the start-up produces a stock trend predictor software.
When connecting each risk in this case, such as the risk of data being modified, causing investors to make business decisions with false knowledge, or even the risk of financial account data leakage (if the company processes cardholder data), the risk assessor should link business owners to each risk (i.e the company financial team/networking team), inventory business processes (i.e. how the cardholder data is being processed and how trends are computed/stored in the application), and record any facilities/suppliers/vendors that might interact with the at-risk data. This inventory and mapping of services will assist in the assessor determining risk criticality. Based on the nature of the start-up the risk of data modification is critical, since the program is founded on the principle of predicting accurate stock trends; however, the company needs a plethora of resources it might not have to secure cardholder data. Both risks involve critical portions of business, but does the organization have the capabilities to mitigate them?
The next portion of the risk profile creation involves assessing organizational capabilities to handle risk. In this situation, maybe the start-up has a dedicated information security team, constantly ensuring data integrity and preventing intrusions; but, the company does not have the finances to become PCI DSS certified, or have the resources to monitor the card-processing program, to ensure cardholder data is protected. In this case, the aforementioned financial data risk can be transferred by outsourcing payment processing to a PCI DSS- certified third party vendor.
After evaluating risk capabilities and updating risk scenario components for each listed risk, the risk profile should be maintained, with at least annual reviews. By ensuring the accuracy of the register, the start-up is constantly staying updated with new risks, vulnerabilities, and business impacts. This risk register will assist in determining if risk should be remediated, transferred, ignored or mitigated, by combining risk factors with individualized organizational capabilities/concerns.
Olayinka Lucas says
Hello Lauren,
“Assessing organizational capabilities to handle risk” is a fantastic initiative from my own point of view. If I am to create a risk profile for a business, compatibility should be a major factor, and most importantly, it must be suitable to your strengths and weaknesses from a practice and procedures perspective. I totally agree.
Christopher Clayton says
The purpose of an information risk profile is to document the types, amounts and priority of information risk that an organization finds acceptable and unacceptable. It is also critical to the success of an organization’s information risk management plan. First step in creating a risk profile, conduct in-depth research on the company and evaluate ownership qualities with owners and stakeholders. Next, setup a meeting with management to discuss potential risks that may come about. The risk discussion should be explained in a way that both business and technology personnel can understand. Also, evaluate risk analysis on a regular basis to help the organization identify, manage, and safeguard data, information, and assets that could be vulnerable to any potential threats.
Vraj Patel says
Hello Christopher, I do agree with that the risk registry includes the risk within information systems and if they were accepted or not. However, I would say the identifying the ownership/stakeholder should be the third step. As knowing the organization should be the first step and then to meet with the stakeholders to get better understanding of the organization should be the second step. That way we can know what kind of systems they might have and what kind information we should look for.
Michael Duffy says
First I would identify businesses operations and goals. Essentially; what do they do? What information systems are they operating? What are each individuals roles and requirements? These would be the best starting points for capturing information before determining necessary controls to be tailored.
Secondly I would begin categorizing a set of security controls based on the FIPS-199 and relevant Risk Management methods (such as the NIST SP 800-30 or SPRINT) and determine the impact of each security objective. This all depends on the depth of their operations in step 1 which identifies criticality and can be applied in multiple areas if necessary depending on the complexity of the small business. This will tailor a control set for later so that we can determine the risks and attributes necessary in the risk profile.
After the controls are tailored and we have categorized components of the business we can begin harvesting information through documentation, vulnerability scanning, and threat analysis to the information system/enterprise the business is utilizing. After determining the inventory and quantity of vulnerabilities/risks within the business they would be able to utilize this risk profile to determine the acceptable risk for each attribute/type in their business impact analysis. This would allow the business to generate a risk map for continuity of operations and also inform the stakeholders (Senior Management) the resources required to mitigate or close risks. The frequency of this assessment relies on the criticality levels of the controls identified; typically controls with LOW impact are reviewed less frequently (annually) than HIGH impact controls (which can be reviewed sometimes daily; depending on the control).
Joshua Moses says
I would be sure to contain the following in my risk profile:
– Areas of shared risk
– Patterns and common issues among the organization’s risk
-The overall risk being carried by the organization
– Details on the nature of individual risks
– A comparison of the organization’s current risk of exposure to it’s appetite for risk
– Areas of shared risk
– Warning of emerging or worsening risk exposures
Antonio Cozza says
Although creating an information risk profile for a small start-up company may look different in result than that of a larger organization, the process would likely be structurally similar. The risk profile would still be the result of the same inputs in order to construct the risk profile as the output, and so, I would first enumerate IT resources if they exist on-site, assess their capabilities, understand the type of business the start-up company is, and begin to record and measure potential threat vectors that would have impact on the business. A risk profile should be adhered to with extra caution for a start-up as any threat that is able to exploit a vulnerability successfully would have drastic impact on the business as funds are not remotely comparable to that of an established long-standing organization. A disaster in the early stages of a company can instantly prevent it from taking off, as key investors may instantly want to cut losses and leave the project. Larger risks would probably be not adhering to policies in place, and should address scaling, assuming the business is successful- risks should be constantly re-evaluated as the start-up grows and attains more employees.
Richard Hertz says
I agree with your statement and approach that the initial steps are identical independent of the size of the organization. e.g. the risk of maintaining customer data is the same whether you have 1 customer or 20 million. The size of the datastore brings other challenges, but the core need is the same for a small company and a large one. You could argue that the larger datastore has more risk because it is a ‘juicier target’ and therefore more prone to cyber risk. However, my point is that even a small company is subject to risk because it has customer data.
Ornella Rhyne says
Creating an information risk profile for a startup company is easy but difficult at the same time because it can quickly go bankrupt if it’s not well managed. To start, we need to know what sector of activities the company is operating; that way we can have an idea of the potential threats the company are facing. Knowing the environments, the resources the company have, the policies and procedures they implemented, their internal control system will help us understand the strengths and weaknesses of their security measures put in place. We also need to identity what type of assets or data they have. Based on the importance or the value of the asset, we will know how to allocate security measures.
After identifying the type of data the company possesses, we will then evaluate their internal controls, software, policies and procedures that will quickly detect any risks associated with their security system. The risk profile would contain processes that will analyze their security system to find out if the organization took some security measures to implement the Confidentiality, Integrity and Availability. Can an attacker easily access their personal private information? Do they put full encryption on their data? Is the system running effectively for the operation of the organization? Do they include proper training in their policies? All these questions will help us establish a plan to manage and monitor the potential threats that can cause an incident and find a solution to reduce those risks.
Lastly the business will use the risk profile as a guideline to ensure that their information security system is effective and efficient.
Dhaval Patel says
Hi Ornella,
You make a good point about knowing which sector/industry the company is in. As others mentioned above, there are many risk profile templates available, but the kinds of risk will vary from organization to organization and it helps to understand the industry to gain a better understanding of what some of the acceptable risks might be and how to mitigate them.
Dhaval Patel says
The first thing I would do in creating a risk profile for a small start-up business would be to gather all of the data that I could and determine the value it holds. This data could be financial, intellectual, or even customer data. From there I would Identify the necessary stakeholders. As stated in question 2 an information risk profile should contain data respective to all relevant stakeholders. Once the data and been identified to its appropriate stakeholder, the next step would be to identify the threats and vulnerabilities and the risk associated with it, in parallel you want to make sure the mitigation controls are being implemented as well. As stated in an ISACA journal and I believe this to be true regardless of the size of the business, the information risk profile should be transparent and accurate towards the data elements, threats, vulnerabilities, and mitigation strategies from an implementation standpoint as well as funding. Hiding information or covering up details only hurts the business and takes away the intended use of the risk profile which is to help identify where the risk is and determine which risks are acceptable and vice versa.
Key elements of an information risk profile. ISACA. (n.d.). https://www.isaca.org/resources/isaca-journal/past-issues/2013/key-elements-of-an-information-risk-profile.
Michael Duffy says
Hello Dhaval,
I’ve worked with many groups at my organization and one thing I’ve shockingly and consistently have seen is the amount of people that may not tell you a flaw about a system. In fact, I’ve actively seen groups intentionally lie about a system because they think it will be deauthorized; I’ve always explained to them that nobody is looking to shut down the system. They are looking to see what current vulnerabilities exist on the system and how to reduce risk to exactly what we’re talking about; acceptable risk. I would also suggest that when generating risk profiles; listing lack of policy or training would actually be an administrative control to ensure that the business generating the risk profile is defining training and frequency; and would be added into the profile as a risk.
Olayinka Lucas says
Hello Dhaval.
Well, said. However, you speak of a normal world where data is readily available to harness. Unfortunately, as we see today, most start-ups do not have enough legacy data to show a track record of their goals and objectives.
I would think that consulting by either interviewing, examining or testing the processes on the ground would be more adequate in determining the risk practice of any startup. What we experience on the field is always not adequate to do the job, but we must as auditors improvise and deliver.
Vraj Patel says
To create an information risk profile for a small start-up business, we will need to know the type of the business it is. The systems that business would be using it and the time (availability) that the system need to be accessible. The risk profile should contain the name of the system so it can be easily recognized. The impact level of that system to identify the risk that system has. The system owner information so that person can be reached out when it is necessary in a timely manner. The business could use the risk profile to identify the critical systems at an enterprise level. The business could also use the risk profile to properly implement a safeguard to the identified critical systems.
zijian ou says
Work with a third-party cybersecurity company to create a set of information risk profiles that match the company’s actual situation. The information risk profile contains cybersecurity best practices for employees to follow; it includes procedures for keeping employee, vendor, and customer information secure. Hackers can steal money, employee details, customer data, and vendor information to harm themselves, their employees, customers, and vendor relationships.
Richard Hertz says
How would you go about creating an information risk profile for a small start-up business? Describe what the risk profile for the business would contain? How should the business use the risk profile?
Create a risk register for the organization and start capturing risks in the register.
Create a listing of the core activities of the organization and then generate a list of risks associated with each activity – e.g billing a customer: customer PII, exposing my bank account #, etc.
Core activities involve – Customer Relationship Management (CRM), Hiring/staffing, Billing/Invoicing, Procure-to-pay functions etc. These are core activities at the center of almost every organization.
The business can then decide how to handle the risks at a business function level of granularity – eg in-source/outsource a function, buy insurance to hedge against the risk, etc.
Jason Burwell says
How would you go about creating an information risk profile for a small start-up business? Describe what the risk profile for the business would contain? How should the business use the risk profile?
I would first keep in mind what industry the small business is in, and just be aware of what solutions/problems could come with the industry itself. Then I would want to meet with upper management to get a full understanding of how the business operates. In this same sit down I would want to understand where the concerns are in terms of risks, and what senior management considers the businesses main objectives. Understanding the business operation will allow us to list/record the risks associated with each business function, after detailing the risks, we can assess the risks, and with the business objectives in mind, we can properly categorize the risks to make the profile, the types of threats that could occur, how often, the level of impact to the business etc.
Alexander William Knoll says
In order to create an information risk profile for a small-start up, it would first heavily depend on the industry. For example, if the start-up was involved in something heavily technological, such as the development of a phone app, the risk profile would likely be much more complex compared to something such as a sporting goods store. I would begin by identifying what the business is and the types of vulnerabilities similar companies in said industry are faced with. I would then look at their current technological infrastructure to determine what changes might need to be made. Based on what I discover, I would meet with management in order to mitigate risk via employee training/awareness, proper technological safeguards, and things of that nature. Since this business is new and small, it is crucial that they constantly update and overlook the developed risk profile to make sure threats are being mitigated, since one breach could do irreversible damage to the business.
Dan Xu says
For a small start-up business, it needs to spend more thought on researching its own business. Businesses are usually covered by various requests from risk management, and information is provided to verify the risk status to create an information risk profile. First, create a single assessment, and secondly update the dynamic process of risk status with the awareness of risk events, update the database and upgrade the system in time, and then uniformly report to the senior management.
The creation of an information risk profile provides a holistic view of risk and risk management, allowing the company’s senior management to better understand the company’s situation. At the same time, companies have the autonomy to manage risks within their own preferences and tolerances. Finally, the challenge of implementing a risk management plan is one of the measures that can be understood and controlled through the risk profile. People are uncertain and also a challenge to implement sustainable and dynamic risk management plans. Companies need to educate employees to strengthen their understanding of risk management organizations and businesses. It has a great influence on the success of the enterprise’s risk management strategy and activities. Because companies that make effective use of information risk profiles now have a solid foundation. The enterprise uses it according to the situation, and the structure of the configuration file provides a framework to logically organize the data in a short time.
Bernard Antwi says
In addition to small businesses creating risk profile holistically, it is important to remember that it’s only possible to minimize, not eliminate risks to your network entirely. As long as your small business is storing data, you will always be at risk of a cyber-attack. This is why a risk assessment is important to help your team prioritize which cost-effective countermeasures to use if/when a breach were to occur.
Victoria Zak says
How would you go about creating an information risk profile for a small start up business? Describe what the risk profile for the business would contain? How should the business use the risk profile?
Transparency is a key aspect to the success and adoption of an information risk profile. To understand the client, a walkthrough of the background of the business would be ideal. TIme needs to be taken into methods, practices, source materials, and intelligence. Risk factors should be identified and have a reasonably high probability of occurrence and would represent a material impact to business operations. It should include their goals, objectives, policies, identification and analysis of the opinions and business leaders and stakeholders on what their views on information risk and security, current threat analysis outcome, and expectation of external parties.
The information risk profile helps a business stay informed about business decision making. It helps make people accountable by assigning tasks to an individual to address agreed upon resources to risk or control/management deficiencies, and it can act as the single source of risk information making efficient conclusions on the risk profile and any changes in it.
Additionally, articulating the risk profile requires educating employees on risk and risk management as well as creating an approach that allows for each part of the business to manage risk to its own levels.
Corey Arana says
I would start the information risk profile by identifying most popular risks that a small business face. After determining the risks for the profile, I would set up an outline of what each risk represents to the business. How a risk will affect costs, reputation and the disruption of business. Lastly in the risk profile would speak on strategy to figure out options on how to deal with each risk. What potential solutions are out there to help the business avoid a threat. The business should use these steps from the profile to eliminate the risk or even accept the risk.
Bernard Antwi says
The InfoSec policy should contain cybersecurity best practices that employees are expected to follow; including (but not limited to) procedures for keeping employee, vendor, and customer information safe. Hackers can steal money, employee details, customer data, and vendor information which can all be damaging to your relationships with employees, customers, and vendors alike. Developing your small business information security policy begins with identifying the risk factors that your business may come into contact within the future. No business, no matter its size or industry, is devoid of risks. This makes the organizational understanding of any small business risk profile extremely important.