I just got back from a great trip to the Middle East. I spoke at a State Department conference (ISAC) Conference in Doha, Qatar and then did a full risk assessment of a large hospital in Abu Dhabi. Besides that I loved the food, and loved the people, and came home with lots of beautiful earrings and bangles and perfume.
The great insight I got on this trip was that security problems are exactly the same everywhere… they are not based on sex, race, nationality, gender, religion, hair color, height, politics, or anything else. Maybe this is why the TV show “The Office” is a worldwide hit. Organizations work the same way all over the world. As a person who got her degree in cultural anthropology of all things — I am amazed less at the differences than I am in the similarities between organizations.
This is my 17th country that I have visited to do a security risk assessment and they all come down to these basic steps:
1. Identify what you want to assess. Many times you need to cut down the proposed assessment, it doesn’t need to include things that are 10 miles away.
2. Write up a Project Plan to show other people what you’re doing to do – and give management a time line to work with. (It keeps me focused – a value add).
3. Find the dollar VALUE for whatever you are assessing, for example — How much is the facility worth? What’s the value of one patient record – two dollars or two thousand dollars?
4. Come up with a realistic threat profile that includes the local crime rate, some historical data for crime, cyber crime, natural disasters, fire, etc.
5. Ask other people in the organization how they handle security. I like using our automated surveys because it captures more immediate data from individuals. You can use a translator if you don’t speak the language and I guarantee you’ll be amazed at the results. The more people you interview – the more amazing the results will be.
6. Examine all the existing controls and see how they are being used in other areas of the organization, are they 100% implemented? 80%? 50? Even less?
7. Analyze the results with good math. This is commonly done by software, but you can also use a regression analysis model with a database program like Access – don’t guess. Let the numbers do the talking.
8. Write up a simple report, illustrated with lots of color graphs and photos, so someone can just page through the report and understand what the assessment revealed.
The best risk assessment report in the world is a waste unless it comes up with actionable results — the list of what the organization needs to do NEXT. Some people call them After Action Reports, maybe they are called Corrective Action Reports, maybe they are called a Task List. The name doesn’t matter, but the results matter.
The report should cover the basics of what you did, what areas you reviewed, who you talked to (or got answers from with a survey), and what you recommend should be done, based exactly on the risk assessment. In banking and financial companies, the regulators already get the last risk assessment and ask the organization to show “where in the risk assessment did it say you should add a stronger firewall? add a better camera system to the Emergency Department? do background checks when you hire new people?
These are just examples, any improved control could be used – but you will need to show the regulator exactly WHERE in the risk assessment it said you should do this or that. In the follow up Blog – I’ll talk about how to present your findings to your management.