We were discussing which should be done first and someone said:
The first has to be risk assessment as it is foundation of information
security. You first need to know where is the risk before putting up
any controls to mitigate that risk. Putting up adhoc controls will not
make the controls effective nor will it protect the organizations
against the risk.
While I understand the intent, I think that is very prejudicial language.
Donn Parker makes a very good case that we have the cultural context – read that sophistication and awareness of the baseline risks – to see that there should be a set of baseline controls. IAM, firewall, AV, backups and so forth. We don’t need to leave the assets exposed to threats while we we wait around for a Risk Analysis to tell us that these baseline protective controls are needed.
You don’t need to know the specific risks any more than you need to know the specific risks to have a lock on the front door of your house and close your windows.
I certainly wouldn’t call this approach “ad-hoc”. Continue reading IT AUDIT VS Risk Assessment – 2