A risk is like a Russian doll- it appears to be of a particular size, but what's inside? You have to open it to know- but that only takes you one step; there's another doll! Is that doll still large enough to be worrying? If so, open it and take a look inside. At some point, the next doll will be too small to bother about (i.e. the residual risk is tolerable) - or the next doll is charred, i.e. there is enough wrong that it's not worth assessing further.
The main difference is that sometimes the doll magically gets bigger as you open it...
Here's an example based on past risk related discussions:
Q1: Are you handling personal data, and if so, how are you protecting it?
A: We take every care in protecting personal data. We are a member of the Safe Harbour Agreement.
<Open the doll>
Q2: Thanks so much for your answer... Can you tell me more about the protection you are applying? Do you encrypt the data at rest and in motion?
A: We use industry standard encryption to protect the information using SSL.
<Note that there is no mention of what they are doing with data at rest, but let's leave that part for now. Next doll>
Q3: You mention SSL. What version are you using?
A: We are using TLS, and have verified that it is not vulnerable to POODLE.
<Next doll>
Q4: That's great - can you confirm that you are keeping your encryption strength up to date as threats evolve?
A: Oh- I suppose we can if you want. That's the Extended Deluxe Support Package $$$$$$$. We didn't include it in the tender because no-one asks for it.
<Next doll>
Q5: What do you do to prevent fail-back to insecure encryption algorithms?
A: We disable insecure algorithms <Note: this is a Very Rare Good Answer to this question>
<Is the doll small enough yet? No, let's have a look at data storage>
Q4: Many thanks for the information, but you haven't
mentioned what you are doing with data at rest (SSL only applies to data
in motion). How are you protecting data at rest?
A: We use HostyPlace Company's storage, which is industry standard.
<Oh, the doll just got bigger. Let's open it>
Q7: How are you managing the data in storage? Is it encrypted, and if so, how?
A: We use industry standard encryption to protect the information using SSL.
<Not an answer to the question asked. Next doll>
Q8: Thanks for getting back to me. SSL is for data transmission- what are you doing to encrypt stored data?
A: We are storing the data in a secure hosted facility at HostyPlace (American company): link
Q9: Do you encrypt the data in storage?
A: The data is physically secure and has access restricted to only three people in our company, with authentication handled by HostyPlace's secure servers. All of our other customers are happy with this, and we have never had an incident.
<I'm taking that as a "no", then. Do I really want to ask about their authentication system, or do I want to find out about whether they are using a Safe Harbour accepted hosting solution? Choices, choices...>
Q10: Is HostyPlace also a Safe Harbour signatory?
A: HostyPlace is a very well respected company, which is used by Big Famous Company 1 and Big Famous Company 2: link to HostyPlace sales page. We have been with them for seventeen hundred years, and never had so much as had a stubbed toe. In fact, I credit them with my aunt's miraculous recovery from the plague.
At this point, we can open even more dolls, but it looks like we are suffering from a classic case of Wrong Doll. The correct doll is the Legal Liability Doll, which we now hand to our colleagues in Legal.
We can also ask about compliance with management system standards. This can massively simplify matters if HostyPlace is ISO 27001 certified, and has a sensible sounding scope, AND a reasonable Statement of Applicability. I've started to ask that one first, these days...
