‘Should a control be discontinued because a reassessment showed a lower acceptable risk score?’
I find it interesting to pick apart the question to explore the reasons why I don't understand it, and the implications. See what you think ...
control may legitimately be ‘discontinued’ (removed, unimplemented,
retired, replaced, modified etc.) provided that change has been duly thought-through,
assessed, justified, and deemed appropriate for whatever reasons. It may be important, though, to be
reasonably certain that discontinuation is, in fact, in the best interests
of the organization, and that’s often hard to determine as controls can be
quite complex in themselves, and are part of a highly complex ‘control
environment’. A seemingly trivial,
unimportant, even redundant control (such as an alert) might turn
out to be critical under specific circumstances (where other alerts fail,
or were accidentally disabled, or were actively and deliberately bypassed by
an attacker or fraudster). So, it may
be preferable to ‘suspend’ the control for a while, pending a review to determine
what the effects truly are … since it is probably easier and quicker to reinstate
a ‘suspended’ control if needs be, than it would have been if the control
was completely removed and trashed. A dubious firewall rule, for example, might be set to 'warn and log only', rather than simply being dropped from the ruleset, the reverse of how new firewall rules can be introduced. On the other hand, a control that is patently failing, clearly not
justifying its existence, is a strong candidate to be removed … and
potentially replaced by something better (which opens a whole new topic).
- A ‘reassessment’
might be a reassessment of the risks, the control, the control
effectiveness, the business situation, the compliance
obligations/expectations, the alternatives and supporting/compensating
controls, or something else: ‘reassessment’
is a very vague term. It might mean
anything on the range from ‘someone changed their mind’ to ‘a full independent
investigation was launched, producing a lengthy report that formally discussed
all the options including a recommendation to remove the control, which
the management body duly considered and authorized, with various caveats
or controls around the way it was to be done …’!
acceptable risk’ might mean ‘We reduced our risk acceptance level’ but
that’s ambiguous – it could mean that you are accepting a lower level of
risk than before (management is more risk-averse) or the polar opposite i.e.
the level of risk that can be accepted has been reduced (management is
more risk-tolerant)! More likely,
the member who posed the question simply missed a comma, intending to say ‘a lower, acceptable risk
score’ suggesting that he have decided the risk does not warrant retaining
the control, hence ‘discontinuation’ is an option to be
considered, as already discussed.
score’ hints at yet another potential minefield - one I've discussed repeatedly here on NBlog. How are risks being ‘scored’, exactly? How certain are you that a reduction in
the score genuinely reflects a reduction in the risk? If you are totally happy with your risk evaluation
and scoring process, why has this question even arisen? If you have some doubts or concerns
about the process, discontinuation of a control may not be a sensible
approach without additional assurance and assessment, and perhaps the ability to reinstate the control efficiently if it turns out to be needed after all.
- More generally, removal of, or deliberate decisions not to implement, controls can be a challenging, problematic concept for risk-averse information security professionals. We are naturally biased towards risk reduction through controls. It’s an inherent part of our mind-set, a default approach. The rest of the world does not necessarily think the same way! To ‘a level-headed business person’, controls may be perceived as costly constraints on business … which means they need to be justified, appropriate and necessary, and worth having i.e. they have a positive net value to the business (benefits less costs, ideally taking full account of ALL the benefits and ALL the costs). Ineffective controls, then, have a negative net value (no benefits, only costs) and are clearly candidates for removal … but removing controls is itself an activity that has risks, costs and benefits too.