Sound risk management practices are an important pillar of a thriving certification program
As a former information security professional turned exam sponsor, I view risk assessment and management as being innately imbedded into the management of our credentialing program. It is increasingly evident, however, that my path to the certification realm differs significantly from the path taken by most professionals who also end up there.
As technology continues to transform our industry rapidly, everyone needs to understand risk assessment and management basics to make informed decisions affecting the validity, integrity, and credibility of our assessment and credentialing programs.
In the credentialing world, the concept of “legal defensibility” is a consistent theme. We spend significant time, money, and effort ensuring our programs are legally defensible, and applying rigorous psychometric standards and processes. Yet this term rarely extends beyond supporting the basic validity of the assessment score interpretations. Exam security rarely extends beyond maintaining the confidentiality of the test items and delivery.
In the information security world, legal defensibility is enshrined in two specific concepts: due diligence and due care; bridging these two is the risk assessment process. A basic understanding of these concepts and the process will allow certification sponsors to make better decisions across their credentialing programs.
Due diligence is a legal standard assessing whether an entity applied reasonable effort to ascertain, identify, and document possible issues. Since “reasonable” is a moving target, best practices of due diligence generally comprise two components.
The first is to encourage the development of an exhaustive, detailed list of possible scenarios and issues, no matter how unlikely. The second is to make this exercise an ongoing, systematic part of the organization’s activities.
The first step in program risk assessment is simply to define the risks associated with your activities. This should be an open, freeform, brainstorming process where no risk, no matter how small or unlikely, is disregarded.
The more detailed and exhaustive this list of potential risks is, the easier it is to prove due diligence — one missing risk that should have been listed is much more damaging than one thousand irrelevant risks.
I have been known to list things like meteor strikes and armed insurgency. While they may be unlikely, the key is to make sure you’ve thought of everything that could happen to pose a risk to the organization. Whether that risk is probable or significant is evaluated later in the process.
The second component of due diligence is making sure the organization updates and maintains the list of potential threats, adding new threats and updating existing ones based on current understandings.
The business landscape is dynamic and quickly changing, and an organization needs to make the effort to ensure these changes are adequately assessed.
Continue Reading with Magzter GOLD
Log-in, if you are already a subscriber
Get unlimited access to thousands of curated premium stories and 5,000+ magazines
READ THE ENTIRE ISSUE