May 26, 2020
Risk Based Security Assessments
Today, business faces multiple forms of risk from a wide range of sources. Some risks are individual and industry specific, while others are unpredictable and shared across the business landscape. Potential threats to a business could include; information security breaches, legal disputes, operational failures and disasters. Regardless of their cause, unaccounted risks or inadequate planning and controls can be very damaging. In this article we are going to look at information technology focused risk assessments and how to perform them.
What Is an Information Security Risk Assessment?
IT risk assessments in general involve three factors: the importance of the assets at risk, how critical the threat is, and how vulnerable the system is to that threat. By understanding these three factors, businesses can assess risks in terms of their likelihood and impact, or use whichever risk model you have chosen.
In the context of information security, risk assessments are performed to allow organizations to assess, identify and modify security measures, and to enable management and operations to view the entire organization from the perspective of an external attacker or threat. Taking this point of view, teams can prioritize threats and assign resources to implement an appropriate solution or strategy, relative to the scope of the risk.
Who Should Perform Risk Assessments & Why?
Conducting risk assessments can be beneficial for any company regardless of size. When it comes to information technology there is an increase of businesses with digital assets or that handle sensitive data. Which inevitably, are prone to cyberattacks and other security risks. Many technology companies are compliant with at least one or more information security standard, such as SOC 2 and ISO 27001 or the GDPR and CCPA. Many of which recommend and often require risk assessments as part of the compliance process.
These assessments form the basis of your mitigating strategy and are critical to the foundation of security control measures and formulating a response plan. A response plan is a documented process or set of procedures to execute a business' recovery processes to secure and protect a business' IT infrastructure in the event of a disaster. As a business performs more risk assessments, it's mitigating security controls will mature and a develop an increasingly comprehensive response plan. While some organizations are well prepared for times of crisis, others have had to strategize on the go.
There are several general factors for businesses to consider in the decision to conduct a security risk assessment:
Productivity: Productivity of IT, security and audit personnel can increase due to improvements to review systems, security knowledge and processes.
Responsibility: Responsibility for security should extend to management, with management making decisions at an organizational level and IT for specific requirements.
Self-analysis: The risk assessment system should be able to be used by anyone, not just IT or security specialists. This allows management to take ownership of security and security to become part of the culture.
Communication: An assessment takes data from all parts of an organization which improves communication of security information and decision making by management.
Steps to Conduct a Risk Assessment
While the depth of assessment depends on business size and assets, information security risk assessments generally consists of these steps:
Determine Information Value: Identifying business-critical assets allows security resources to be prioritized.
Identify and Prioritize: Determine the scope of the assessment by identifying and prioritizing assets that will be included in the assessment. A business may not want to assess every building, employee, electronic data, and piece of equipment as not all assets have the same value.
Identify Threats: Threats include any vulnerability that could be exploited to breach security or use data in a way that harms the business. Threats may be related to IT security like hackers or viruses, or other factors.
Identify Vulnerabilities: A vulnerability is a weakness that a threat can exploit, breach or use data in a way that harms the business. Analysis, audits, databases, and other sources can be used to find vulnerabilities.
Analyze and Improve Controls: Review existing implemented security controls and mitigating process to identify improvements. Risk related security controls are either preventative that prevent attacks, or detective that discover attacks
Calculate the Likelihood and Impact of Scenarios: Identify how likely cyber risks are to occur and what the impact would be. This allows investment in security to be prioritized.
Prioritize Risks based on Cost of Prevention and Information Value: Determine the level of risk and actions that can be taken to mitigate the risk. If an asset costs more to protect that its value and it is non-critical to the business, it may not be worth the investment to protect.
Document Results: The last step is to document the results to support management decisions on budget, policies, and procedure. Each threat should be reported by risk, vulnerabilities and value, and the likelihood of occurrence and potential impact.
Information security risk assessments are important and can benefit businesses that deal with sensitive data or operate under compliance standards. The many benefits include identifying security risks, improvements to productivity, communication and prioritizing your information security investments. Completing a thorough assessment can be a lengthy processes and tool such as GRC solutions can be used to optimize them from start to finish.
Assessing & Planning With GRC Tools
Although it is possible to build a risk registry in a spreadsheet it is becoming increasing affordable and approachable to use dedicated tools. Risk management software adds value to project management and collaboration when determining a company's crisis response plan. Risk management systems enable leaders to prevent and manage critical risks that a business may face. Leveraging dedicated risk management tools make it easy for teams and management to review a crisis from multiple perspectives, such as finance, legal, or operations.
Today, dedicated risk management tools are readily available and affordable. When it comes to information security risk assessments, often the best approach is to leverage your existing information security focused Governance, Risk and compliance (GRC) software. GRC tools save time by allowing businesses to add previously established security controls and assets directly into risk assessments. GRC tools allow businesses to easily identify security gaps, implement a suite of threat-mitigating processes, monitor potential threats, and generate reports from your assessments' results.
After the assessment identifies priorities for security controls, GRC tools can be used to manage controls and reporting to streamline information security processes and provide up-to-date information. Most tools can integrate with existing systems and monitor information security from a single, centralized platform so security threats can be identified and neutralized before they cause any damage to the business. Security risks can be measured using GRC tools' built-in best-practice quantitative risk methodologies for an array of scenarios not limited to information security. These tools should also be customizable, allowing users to determine their own calculations to align with their needs.