The Value of an Information Security Risk Assessment
- Written by: Matthew McGill and Sammi LaBello
Whether you’re a small business trying to figure out where to start with your cybersecurity needs, or you’re a larger corporation wanting to make sure the security measures you put in place are working properly, an Information Security Risk Assessment is a great way to get a thorough look inside your organization.
Taking the time to go over possible threats is crucial in preventing issues down the road and giving your business the best chance at long-term success. Here are the basic steps of a Risk Assessment, and why this process can provide so much value to your cybersecurity program.
What is an Information Security Risk Assessment?
A Risk Assessment helps guide an organization in making rational decisions to improve security posture and align risk with acceptable tolerance levels.
What does that really mean?
Cybersecurity experts, such as HBS Consultants, conduct a comprehensive overview of your current security measures and come up with a list of possible threats. This is based on the issues your company is likely to face. Not all organizations have the same security threats.
The Risk Assessment process helps IT departments and business owners find and evaluate risk while aligning with business objectives.
Why is it Necessary?
A Risk Assessment offers sort of a window into your organization’s security operations. The process reveals exactly where there are flaws, what’s working well, and what might not be necessary.
Being able to have a certified expert go over your security posture can help you better understand things that may have been overlooked in the past.
This kind of knowledge is valuable for preventing security breaches, securing sensitive information, and reassuring clients their own data is being protected.
Not only is this important for the function of your company, information security risk assessments are also the first requirement outlined in federal regulations such as Sarbanes-Oxley Act (SOX), Gramm-Leach Bliley Act (GLBA), and Health Insurance Portability and Accountability Act (HIPAA). The Payment Card Industry – Data Security Standards (PCI-DSS) also require merchants of all sizes to perform due diligence in assessing risk in their technology operations.
How Does the Process Work?
These are a few of the key steps during a Information Security Risk Assessment.
1. Prepare
The first step is to determine why the assessment is needed. You’ll want to figure out the information the assessment is intended to produce and the decisions it is intended to support. Knowing the goal of the process will help direct the steps taken.
You will also select a control framework. HBS bases risk assessments off a subset of controls from NIST 800-53. Other highly regarded frameworks are the Center for Information Security (CIS) Top 20 and NIST 800-171.
2. Conduct
The objective of this step is to create a list of information security threats that can be prioritized by risk level and used to inform risk response decisions. That includes identifying any threat sources, risks, and vulnerabilities. Then the risk levels and likelihood are analyzed.
This step also includes interviews with department managers and key business personnel. The focus is on how sensitive information flows through the systems and/or applications they manage.
Here are some questions that may come up:
- Are there any concerns with data flow models?
- Does the information have the potential to be seen by unauthorized individuals?
- Are there vulnerabilities within these systems that could lead to device compromise?
- Does management have adequate visibility into the risk management program?
While risk assessments can be conducted internally, it is helpful to bring in a third party to have an independent set of eyes evaluate IT environments.
3. Review
The last step involves reviewing IT controls and using control frameworks as a guide to implement these controls in a secure manner. This is followed by communicating the information discovered and finding out how decision makers within the organization can use the information to address security risks in the future.
The HBS Consultant will put together a report of risks at different levels for your business’s executive leadership to review.
What are those risk levels?
Low: Finding creates limited exposure for compromise of user accounts, or unauthorized access to data due to configuration issues, outdated patches and/or policy.
Moderate: Finding does not directly lead to a compromise but could be used in conjunction with other techniques to compromise accounts, or to perform unauthorized activity in the environment.
High: Finding creates a large exposure that could result in a loss of system control, access, application control, and/or exposure of customer data via the compromise of administrative accounts and/or other system functions. It could also create an issue with regards to confidentiality and/or integrity, resulting in many user accounts being compromised, or restricted system functions being accessed.
4. Repeat
A Risk Assessment is not a onetime cure-all. This process should be done on an annual basis to keep up with any new threats and potential changes within the organization.
When Should You Pursue an Information Security Risk Assessment?
There really is no wrong time to do a Risk Assessment. While it should be one of the first considerations of new businesses, it should also be part of your continual security evaluation process. Risk assessments provide immense value to organizations of all sizes, as they allow the IT department to communicate control gaps and security concerns in a language and perspective business leaders can understand.
As stated before, it is possible for an organization to conduct their own Risk Assessment. However, there are benefits to hiring a third-party consultant. HBS has often identified areas of risk our clients were unaware of. If you’d like to find out more about conducting a Risk Assessment for your business, contact HBS today!