How would you go about creating an information risk profile for a small start-up business? Describe what the risk profile for the business would contain? How should the business use the risk profile?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
For a small start-up business, I would walk through with each business process owner/data owner what data and assets they use and for what they use the data (for a small start-up), there might only be one or very few data owners. Then after determining what assets/data exist, I would discuss the value of each asset/data set and rank from Low to high, with high being the most valuable to the company (whether the data is used in operations or impact if data is lost). Next after determining the value, I would discuss the likelihood of each circumstance (i.e. environmental, people, etc.) and plot on a risk map.
The business should use the risk profile to determine where resources should be spent. For example, if a risk has a high impact and high likelihood, the business should spend resources on mitigating that risk. The opposite is true too, if the risk is low impact and low likelihood, the company should spend resources on higher risks.
Hi Jill,
I would expand beyond utilizing the risk profile as a method of determining how resources should be spent to mitigate risks. For a small start-up business, it’s essential that the risk profile should be a baseline for the future of the business and assist with planning for future technologies and procedures that may be a part of the business.
Hello Jill,
I conquer with you there when you mentioned that the business should use the risk profile to determine where resources should be spent. The whole process of implementing a risk profile shows that the organization is serious about it’s business. So, having it at hand will serve a huge purpose while supplementing it with other frameworks like NIST, CORBIT, etc. It will limit situations like company closure, bankruptcy and even data breach.
When creating a new risk management profile regardless of size, there are key aspects that need to be incorporated. The first of which is key data elements. As a business we need to understand what we value most from the data we have/utilize and how we are responsible for this data, whether that is IP’s, transactional data (credit cards), private customer data (PII), financial data (bank accounts/401ks/etc.). Defining these key data elements ensures there is a clear understanding of what these elements are and it’s value to the business.
Next is to identify data owners and stakeholders. Data needs to clearly belong to what we call ” data owners” as well as a stakeholder. This ensures that there is a clear cut source for establishing and maintaining information risk management decisions and those decisions must be run by the “data owners” and stakeholder.
Lastly, data classification based on risk levels and categories. This allows the business to asses the value of each key data element and prioritize risk migration on those classified as high risk with high likelihood and assume risk acceptance on other data points that aren’t financially worth imposing risk mitigating techniques and/or whose likelihood is low.
Hi Nicholas,
I like your inclusion of specific pieces of data that should be included when quantifying risks as part of a risk profile. PII and other personal pieces of information that can lead to exposed client data should be included as a part of the risk profile to not only set aside current safeguards but to also be a baseline for future cases where PII is involved.
Whether a business is small or large, information risk profile is key. Firstly, I would evaluate the business’ objectives, goals, and even the location where it is situated. This gives an idea of asset value, counterparts or stakeholders involved and their interests. And most importantly, I would seek to understand what kind of data or information they have in order to understand the legal and regulatory aspects associated, and operations. Once a clear understanding is established, I will then go to the next phase which is to determine the risk level from low to high and prioritize major assets that are key to the business operations. While implementing this process, I will also keep the IT Risk framework as a guide and reference certain steps to ensure that all business aspects are covered and make well informed decisions.
I completely agree with your comment on regardless of the size of the business, a risk profile is key. I also agree with the steps you laid out in creating the risk profile. The one other thing I would determine when creating the risk profile is the company’s risk appetite and risk tolerance.
Hi Shepherd, i totally support that whether a business is small or large information risk profile is key because these will enable them to critically evaluate their information asset.
For a small start-up business, I would use the available resources on CREATe.org to get a risk assessment and evaluate the specific assets that my company handles. From there I would further assess the sensitivity of the documents on a scale of 1-10 for more precision compared to the green-yellow-red scale along with detailed logs documenting the administrative access that certain workers have and the history of each record so as to create a proof of work or editing. From there the business would then use that risk profile to reevaluate and control we have of the individual documents and put better security measures in place along with setting up the process to deal with mitigation should any document become leaked.
Hi Matt,
I fully support utilizing an established resource or framework is key to ensuring businesses don’t create their own niche risk frameworks. However, I’m not familiar with CREATe.org I tried to look up the site but it didn’t return any results. Could you please clarify?
I agree, utilizing established tools and frameworks will make the first time assessment run much smoother. It also allows the business to have a standard baseline to use to when discussing their risk with others such as insurance, suppliers, and customers.
I don’t necessarily agree with your suggestion to use a 1-10 scale for classification. I have found that a three level scale, when put in a matrix with other data is generally good enough to decide what are the highest priority risks and what can be safely ignored. Generally, there is enough margin of error and estimation, that the additional granularity is not of great use.
To create an information risk profile for a small business, I would start with one of the many risk assessment frameworks available. NIST, SANS, ISACA, and others have available frameworks to take the daunting task and turn it into a manageable, step-by-step process. While to details will be different depending on your framework and the business, they will all require identifying key assets and asset owners, evaluating those assets for threats and vulnerabilities, and ranking the asset values against the threat severity in a matrix. The resulting matrix will identify the items that have high value and high risk. Those will be the items the business will need to address first. These high risk, high value items will be the ones that the business will need to focus manpower and budget on to protect.
Hey David,
I like the idea of utilizing a threat matrix to associate risks with a defined value and risk level. To expand beyond that point, I would include associated information with an asset to provide better reasoning for associated risks and values of an asset.
Adding the additional complexity of associating specific information with assets can have benefits. but you have to balance that with the additional effort and enlarged scope for a first time assessment for a small business. You have to be careful with scope creep and how to best use the limited resources you would have in this instance.
For an information risk profile for a small start-up business, the first step would be to understand the business’s services, operations, and processes. Understanding what the business does, where it operates, the type of data it handles, and the current systems in place accompanying all of these is important to understanding the associated regulations and compliance requirements based on where the business operates. Beyond the initial steps, also understanding the current technologies in place as well as the policies surrounding these technologies is essential for more in-depth categorization of threats and vulnerabilities. Also, understanding current threat actors and exisiting threats to businesses in the industry the start-up is operating in is important as it includes potential threats that may not be considered as they are outside the business.
Specifically, the risk profile would contain a list of threats with associated owners and stakeholders as well as ranks of importance related to how likely a threat is and the impact it would have should it result in an incident. The profile would provide a baseline for the business to build from and work with as newer technologies and processes are utilized as the business grows.
You made a good point to call out that the results of this assessment is a baseline to be used for future planning. Risk assessments are not a one-and-done kind of thing. Risks change over time with changes in business and technology. Applying mitigations and protections changes the ranking of risks, what was the biggest risk this time will probably not be the biggest risk next time once appropriate protections are put in place.
How would you go about creating an information risk profile for a small start-up business? Describe what the risk profile for the business would contain? How should the business use the risk profile?
I would first gather all information about the small start-up and conduct analysis which would include what type of industry, what are the strengths and weakness, and how the business operates. The I would start organizing different types of risk and on a scale form low-high. I would also sort some of these risks by frequency to make sure that we know and have a way to solve these risks quickest way possible. The business should use the risk profile by identifying the risk and assessing what areas of the business has been affected. After the analysis an IT expert to come and assess the situation as well making the finding concrete. From there IT should recommend what would be the best way tackle depending on what the situation from the baseline we set in the beginning.
How would you go about creating an information risk profile for a small start-up business? Describe what the risk profile for the business would contain? How should the business use the risk profile?
For a small startup a risk assessment has to be carried out and the risk will be rated according to its severity. After which an information risk profile can be created based on the risk tolerance of the startup. Risk profiling is very important for a small startup so that they do not invest in high-risk stakes that can pose threat to its business continuity. The risk profile will be categorized under aggressive, moderate or conservative based on the startups risk tolerance in line with business needs. One key element of the risk profile is the material business impact consideration which is synonymous to pain chart used in health care setting it contains three key elements financial, productivity and availability. Therefore, startups should use the information risk register to make important business decision and to be able to do cost and benefit analysis in line with business needs.
https://www.isaca.org/resources/isaca-journal/past-issues/2013/key-elements-of-an-information-risk-profile
https://www.cybersaint.io/blog/establishing-your-startups-risk-profile
In creating a risk profile for a small startup, we must first look at what sort of value the data hold. Important questions to ask are, how important is this data to the operation of the company and how valuable is the data to your customers, is it their private information, or something that only matters in the context of your system? This will help assign value to the data itself and from there we can begin to create the risk profile. It also establishes who owns which data, and who owns the risk associated with that data as well. It may be acceptable for a company to accept their own risk but to put their customer’s data at risk may result in more than just monetary losses. From there we can begin to classify the risk at different levels based on different risk factors and how likely they are to occur. With all this information in the risk profile, a small business can begin looking at its options to address the risk they face and also make a plan of which risks to mitigate, and accept.
Hey Max,
I completely agree and wish I had even mentioned the risk of loss of customer information or details in my own post to this question. The customers of a business are one of their top priorities and any form of their data being leaked could be far more irreparable to its business model than some of the businesses own data.
An information risk profile is created by identifying the potential risks the business could expect. It is essential first to outline the company’s objectives to understand what possible threats could be there to prevent them from being achieved. An information risk profile contains data from intellectual property, financial data, data from customers, data relating to assets, and data any sensitive information regarding the business. The risk profile also contains the tolerance level, risk requirements, and capacity. These components of an information risk profile enable a company to quantify its risks according to their value. The industry can use a risk profile to save resources because they can be ready to sort out troubles as they occur. It also helps prevent losses brought by risks and makes the basic architectural designs caution against risks.