This photo is licensed under the Creative Commons Attribution-ShareAlike 2.0 Generic (CC BY-SA 2.0) license by Aaron Williamson.

Risk Assessment Fundamentals

Training Materials for a Three Session Training on Information Security Focused Risk Management for advocacy communities

I have benefited greatly from access to open-source training curricula in the international information security for human rights defender community. In an attempt to give back I will be open-sourcing some of my own training materials. I hope these resources prove useful to the network information security trainers, facilitators, and technologists supporting communities in complex and hostile environments worldwide.

I did not want to fall into the trap of never releasing this content because I wanted to wait until the “content was ready.” As such, these materials are being released as is.

Brief

I believe that security for your most sensitive information is strongest when you have the power to make decisions based on a concrete understanding of the risks involved. These sessions are a combination of practical trainings on risk management, discussions about how these topics relate to the realities you experience in your organizations, and some sample exercises you can complete to strengthen your risk assessment decision making. These sessions provide a framework for organizations within your community to assess and manage both their existing risks and the risks that may come with new endeavors.


Session 1: Talking about Risk

Duration: 2 Hours

Type: Activity, Lecture, and Discussion

An introduction to risk managements core concepts, to the outputs and outcomes of the sessions, and how risk assessment can fit into an advocacy communities overarching work. This intro is primarily aimed at:

  • Building a shared language that will allow participants to communicate back their learnings and findings from the sessions to the larger community; and
  • Gaining familiarity with the core concepts involved in assessing and responding to risk.

Materials To Prepare

  • A space suitable for the activity given the number of participants — clear any chairs and tables as needed
  • Projector and/or large monitor to display presentation slides
  • Self-Stick Easel Pad (At least 5 sheets per group of 5–7 participants) i.e. Post-it Sticky Notes
  • Sticky Notes (At least three pads total -each of a different color- per group of 5–7 participants) i.e. Post-it Sticky Notes
  • Fine-Point Permanent Markers (One per participant) i.e. Sharpie Point Permanent Markers

Outline

  1. Where information security fits among other measures
  2. Intro to Risk Management
  • Risk as a concept
  • Risk management as a process

3. Intro to the upcoming process

  • Risk and success from a network perspective
  • Mapping values to standards of reasonable care and practices

Presentation

Click “⚙ > Open Speaker Notes” in the slideshow control bar to see my speaker notes for this presentation.


Session 2: Evaluating and Controlling Risk

Duration: 2 Hours

Type: Lecture, and Discussion

This session will use the collection of existing mitigations brought by the participants to map out the security that is already in place, identify where more attention needs to be paid, and foment a conversation around effective measures for tracking and sharing information about risks and appropriate mitigations across the community.

Materials To Prepare

  • Projector and/or large monitor to display presentation slides
  • A portable microphone for community member stories and for for community members during discussions

Outline

  1. Recap of Key Concepts
  2. Evaluating Risks
  • Likelihood
  • Impact

3. Controlling Risks

  • Introduction to mitigation's

4. Contingency Planning

  • Contingency Planning against your controls

Presentation

Click “⚙ > Open Speaker Notes” in the slideshow control bar to see my speaker notes for this presentation.


Session 3: Living with Risk Management

Duration: 2 Hours

Type: Lecture, and Discussion

This session will cover methods for evaluating information security controls, how to combine information security controls to build an appropriate and sustainable risk mitigation program, and discuss strategies for building and managing a risk mitigation program with limited resources.

Materials To Prepare

  • Projector and/or large monitor to display presentation slides
  • A portable microphone for community members during discussions

Outline

  1. Recap of Key Concepts
  2. Evaluating & Implementing Controls
  • The Evaluation & Implementation Cycle
  • An Example Control
  • Documenting Controls

3. Crisis Management

  • Types of Crisis Management Plans
  • Components of Crisis Management Plans

4. Information Sharing

  • Incident Reporting
  • What to do when you get incident info from others?
  • How do we start information sharing?

Presentation

Click “⚙ > Open Speaker Notes” in the slideshow control bar to see my speaker notes for this presentation.


Related Resources: Risk Management

Risk Management Guidelines: Australian/New Zealand Standard

  • bch.cbd.int/database/attachment/?id=12285

Organizational risk management standard for Australia and New Zealand. I like these guidelines because they are descriptive, clearly written, and include example tables for each part of the process. NOTE: I would not recommend reading the actual AS/NZS 4350:2004 standard that these guidelines were written to describe.

Developing a Risk Management Plan: USAID

USAID’s guidance for new partner on how to develop a risk management plan. It is the shortest guidance on risk management that I know of that is still useful. It is only 11 pages long including an example risk management template.

Security Risk Management — NGO Approach: InterAction Security

This document outlines guidance on Interaction’s security focused risk assessment & management processes. InterAction provides a very structured approach to categorizing and evaluating risk.

Risk Assessment In Practice: COSO

I like this financially focused risk assessment document because it does a better job than many other risk management documents at looking at the process of making decisions that weigh both the risks and the opportunities that come from taking those risks.

A practical guide to risk assessment: How principles-based risk assessment enables organizations to take the right risks: PWC

This guide also does a good job of showing how risks from different aspects of an groups work can be assessed and compared. (i.e Financial, Political, Technological, Environmental, etc. )

Security To Go: EISF

This set of short security risk management modules are focused on international humanitarian aid agencies. But, they do a great job of simplifying the various components of risk management into easily implementable activities. I would recommend taking a look and reading the ones that seem relevant.

Risk Register Blank Template: EISF

A risk register excel template that includes guidance on how to use it. It is a highly structured template that is focused on international security. But, it can be useful even if you don’t fill in all the different components.


Related Resources: Incident & Crisis Management

Security Incident Information Management Handbook: EISF

This handbook came out last month and is easily the best handbook on how to collect, track, manage, and share information about threats, risks, security controls, and incidents among Civil Society and NGO actors. It is long but full of valuable content.

Template: Computer Security Incident Response Plan: Alan Watkins

These Small & Medium Business focused incident response plan template(s) are a great starting point for developing your own incident response plans. They are more exhaustive than I would recommend at first. But, I HIGHLY recommend at least looking through the Appendices. These include a variety of easy to customize templates to support your own incident management efforts.

A single golf clap? Or a long standing ovation?

By clapping more or less, you can signal to us which stories really stand out.