Ahhhh. The fifth and final part of this series on the Social Media Risk Assessment Process ("SMRAP"). I hope you've enjoyed the series up to this point. I know I've enjoyed bringing it to you.
This last segment is all about completing the SMRAP. I've created a fairly basic yet effective social media risk assessment model. As you will note from the graphic below, my model uses the concept of "Threat/Vulnerability" pairs to isolate weaknesses that can result in disaster. In a nutshell, here's the deal: there are threats and there are vulnerabilities.
Threats are actions or events that can cause harm to the organization. For example, when it comes to social media risks, an example of a threat is the disclosure of confidential customer information over social media.
Vulnerabilities are simply weaknesses in the system. They are the chinks in the armor. Vulnerabilities are what enable the threats to take form. For example, a vulnerability related to the threat above could be a lack of understanding of social media-related information security risks by employees.
Therefore, using the same threat example above, a way for the threat to manifest or occur can be due to a lack of adequate employee training. In other words, an employee does not know that it is a bad idea to post confidential employee information on social media sites and as such, the employee post information or takes part in conversations that reveal confidential customer information.
This is what I refer to as the Threat/Vulnerability pair. A threat creates havoc and a vulnerability permits the threat to wreak havoc. It must be noted that threats in of themselves are fairly harmless. Without a vulnerability threats have no life.
STEP 1: Determine the threats that apply to the organization's social media environment. I have created a social media risk assessment template that contains the majority of "high level" organizational threats. You can download the social media risk assessment document here.
STEP 2: Determine the vulnerabilities (weaknesses) that can create an environment in which the threats can manifest. In some cases a threat will have only one vulnerability associated with it. However, in the majority of cases there will be multiple vulnerabilities associated with each threat. If you inspect the template social media risk assessment you will see multiple vulnerabilities per threat (see graphic above).
STEP 3: Once the threats and vulnerabilities have been identified it is time to determine the internal controls that are in place. Internal controls are the practices and processes that will keep the vulnerability from turning the threat into a reality. The template provided contains common controls. It is not likely that every organization will have every control listed. The greater the number and breadth of controls in place, the less likely the threat will take place. Each control should be listed on the risk assessment as shown in the template document.
STEP: 4: Based upon the internal controls in place and the nature of the threat and vulnerability, the organization must determine the likelihood that the threat will take place. A sample Likelihood Matrix is such as the one shown below is contained in the template.
STEP 5: Next, the organization must determine the severity of the effect of the threat if it were to manifest based upon the existing controls. Similar to the Likelihood Matrix, the template contains a Severity Matrix such as the one below.
STEP 6: Finally, the organization uses both the Likelihood of Occurrence and the Impact of Severity to determine the Risk Level. The template also contains a matrix to assist in the determination of risk.
STEP 7: After completing the social media risk assessment it should be reviewed. Considerations in the review include a risk level that is too high relative to the organization's risk appetite. For example, it may be the policy that all "moderate" and "high" risk areas be reviewed with senior management to discuss further internal controls that can be implemented to reduce the risks. It is generally a good idea to summarize the risk assessment process and deliver a report to the organization's Audit Committee and possibly the Board of Directors. Along with the report may be recommendations or action items that will be taken to increase the number of internal controls to reduce the overall risk. Once such action items are completed the organization can again perform the risk assessment to determine if the internal controls have been effective in reducing the risk level.
It must be noted that there are many ways to conduct a risk assessment. This method is just one. There is no right or wrong methodology as long as the end result provides an assessment of the residual risk and considers all of the practical threats.
I encourage you to take this template and turn it into your own. I also ask that you return to this post with you recommended revisions/enhancements to the template so that others may also benefit.