Cybersecurity Risk Assessment: What It Is & How To Perform It

Cybersecurity Risk Assessment: What It Is & How To Perform It
Image by rawpixel.com on Freepik

Cybersecurity risk assessments assist public safety organizations in understanding cyber risks to their operations (e.g., mission, functions, critical service, image, reputation), organizational assets, and individuals.

By conducting cyber risk assessments, public safety organizations may experience a multitude of benefits. These include meeting operational and mission needs, improving overall resiliency and cyber posture, and meeting cyber insurance coverage requirements. It is recommended that organizations conduct cyber risk assessments regularly, based on their operational needs, to assess their security posture.

By conducting the assessments, organizations establish a baseline of cybersecurity measurements, and such baselines could be referenced to or compared against future results to further improve overall cyber posture and resiliency and demonstrate progress. These assessments could be conducted with internal resources or with external assistance.

For instance, organizations may conduct a review of vulnerabilities based on internal logging and audits of their internet-facing networks.

What Is a cybersecurity risk assessment?

A cybersecurity risk assessment evaluates the threats to your organization’s IT systems and data, as well as your capacity to safeguard those assets from cyber attacks.

Organizations can (and should) use a cybersecurity risk assessment to identify and prioritize opportunities for improvement in existing information security programs. A risk assessment also helps companies to communicate risks to stakeholders and to make educated decisions about deploying resources to mitigate those security risks.

A cybersecurity risk assessment requires an organization to determine its key business objectives and identify the information technology assets that are essential to realizing those objectives. It’s then a case of identifying cyber attacks that could adversely affect those assets, deciding on the likelihood of those attacks occurring, and the impact they may have; in sum, building a complete picture of the threat environment for particular business objectives.

This allows stakeholders and security teams to make informed decisions about how and where to implement security controls to reduce the overall risk to one with which the organization is comfortable.

Cybersecurity risk assessment: Getting started

First, you must align the organization’s information security and cybersecurity goals with its business objectives. That means you will need to get input from across the enterprise about how each function uses data and IT systems, to assess and evaluate your cybersecurity risk exposure.

Consider the following activities as part of your initial preparation for your risk assessment.

Define cybersecurity threats

You should think about all the scenarios that threaten the safety of your customer and employee data and the function of your products and services. Hackers can bypass security measures to gain unauthorized access, bypass mechanisms and exploit vulnerabilities to steal or modify critical data assets, or run rogue programs inside your IT infrastructure.

Identify security vulnerabilities

Once you have a handle on your potential threats, you can better scrutinize each part of your IT infrastructure for vulnerabilities across software and hardware. Identifying these vulnerabilities requires diligence and thorough examination, always keeping in mind your contractual obligations and regulatory compliance obligations.

Determine threat likelihood and threat impact

Once you have identified the weaknesses in the organization, you should determine the likelihood and potential severity of each risk. This helps you understand which risks are most serious and therefore should get first priority when remediating your security weaknesses.

How to perform a cybersecurity risk assessment

Begin by assembling a team with the right qualifications. A cross-departmental group is crucial to identify cyber threats ( from inside and outside your organization) and mitigate the risks to IT systems and data. The risk management team can also communicate the risk to employees and conduct incident response more effectively.

At a minimum, your team should include the following:

  • Senior management to provide oversight.
  • The chief information security officer to review network architecture.
  • A privacy officer to locate personally identifiable information, as required by the EU General Data Protection Regulation (GDPR).
  • The compliance officer to assure compliance with the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, the Health Information Portability and Accountability Act (HIPAA), or other security standards that might apply to your business.
  • Someone from the marketing team to discuss any customer information that’s collected and stored.
  • Someone from the product management team to ensure product security posture throughout the development cycle.
  • Human resources, to give insight into employee personally identifiable information.
  • A manager from each central business line to cover all enterprise data and lead response initiatives.

Step 1: Catalog information assets

Your risk management team should catalog all your business’s information assets. That includes your IT infrastructure, as well as the various software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) solutions used throughout the company. It also includes the data that those systems process.

To understand the types of data your company collects, stores, and transmits, as well as the locations involved, ask these questions:

  • What kinds of information are departments collecting?
  • Where do they send that information?
  • Where are they collecting it from?
  • Which vendors does each department use?
  • What access do those vendors have?
  • Which authentication methods, such as multi-factor authentication, are used for information access?
  • Where does the company physically store information?
  • Which devices do employees use?
  • Do remote workers access information? If so, how?
  • Which networks transmit information?
  • Which databases store information?
  • Which servers collect, transfer, and store data?

Step 2: Determine the scope of the risk assessment

A risk assessment starts by deciding what is in the scope of the assessment. It could be the entire organization, but this is usually too big an undertaking, so it is more likely to be a business unit, location or a specific aspect of the business, such as payment processing or a web application.

It is vital to have the full support of all stakeholders whose activities are within the scope of the assessment as their input will be essential to understanding which assets and processes are the most important, identifying risks, assessing impacts and defining risk tolerance levels. You may need a third party specializing in risk assessments to help you through what is a resource-intensive exercise.

Everyone involved should be familiar with the terminology used in a risk assessment, such as likelihood and impact so that there is a common understanding of how the risk is framed. For those who are unfamiliar with cybersecurity concepts, ISO/IEC TS 27100 provides a useful overview. 

Before undertaking a risk assessment, it is well worth reviewing standards like ISO/IEC 27001 and frameworks such as NIST SP 800-37 and ISO/IEC TS 27110. These can help guide organizations on how to assess their information security risks in a structured manner and ensure mitigating controls are appropriate and effective.

Various standards and laws such as HIPAA, Sarbanes-Oxley, and PCI DSS require organizations to complete a formalized risk assessment and often provide guidelines and recommendations on how to complete them. However, avoid a compliance-oriented, checklist approach when undertaking an assessment, as simply fulfilling compliance requirements doesn’t necessarily mean an organization is not exposed to any risks.

Step 3: Assess the risk

Some types of information are more critical than others. Not all vendors are equally secure. So once you’ve identified the information assets, it’s time to assess their risks and the enterprise.

  • Which systems, networks, and software are critical to business operations?
  • What sensitive information or systems must maintain availability, confidentiality, and integrity?
  • What personal information do you store, transmit, or collect that needs to be anonymized in case of an encryption failure?
  • Which devices are most at risk of data loss?
  • What is the potential for data corruption?
  • Which IT systems, networks, and software might cybercriminals target for a data breach?
  • What reputation harm might arise from a security incident?
  • What are the financial risks of a potential data breach or data leak?
  • What business operation risks would result from a cybersecurity event?
  • Is there a business continuity plan to help business operations resume quickly after an IT disruption?

The risk assessment process considers risks to the information assets and what harm breaches of each might cause to the enterprise. That includes harm to business reputation, finances, continuity, and operations.

Step 4: Analyze the risk

Risk analysis assigns priority to the risks you’ve listed. For each risk, give a score based on the following:

  • Probability: the likelihood of a cybercriminal obtaining access to the asset
  • Impact: the financial, operational, strategic, and reputational impact that a security event might have on your organization

To establish your risk tolerance level, multiply the probability by the impact. Then, for each risk, determine your response: accept, avoid, transfer, or mitigate.

For example, a database containing public information might have few security controls, so the probability of a breach might be high. On the other hand, the damage would be low since the attackers would only be grabbing information that’s already publicly available. So you might be willing to accept the security risk for that particular database because the impact score is low, despite the high probability of a breach.

Conversely, suppose you’re collecting financial information from customers. In that case, the probability of a breach might be low, but the harm from such a breach could be severe regulatory penalties and a battered corporate reputation. So you may decide to mitigate these high-risk scenarios by taking out a cybersecurity insurance policy.

Step 5: Determine potential impact

Now it is time to determine the impact of the risk on the organization if it did happen.

In a cybersecurity risk assessment, risk likelihood — the probability that a given threat is capable of exploiting a given vulnerability — should be determined based on the discoverability, exploitability and reproducibility of threats and vulnerabilities rather than historical occurrences. This is because the dynamic nature of cybersecurity threats means likelihood is not so closely linked to the frequency of past occurrences like flooding and earthquakes are for example.

Ranking likelihood on a scale of 1: Rare to 5: “Highly Likely,” and impact on a scale of 1: Negligible to 5: “Very Severe,” makes it straightforward to create the risk matrix illustrated below in Step 4.

Impact refers to the magnitude of harm to the organization resulting from the consequences of a threat exploiting a vulnerability. The impact on confidentiality, integrity and availability should be assessed in each scenario with the highest impact used as the final score. This aspect of the assessment is subjective, which is why input from stakeholders and security experts is so important.

Step 6: Document all risks

It’s important to document all identified risk scenarios in a risk register. This should be regularly reviewed and updated to ensure that management always has an up-to-date account of its cybersecurity risks. It should include:

  • Risk scenario
  • Identification date
  • Existing security controls
  • Current risk level
  • Treatment plan — the planned activities and timeline to bring the risk within an acceptable risk tolerance level along with the commercial justification for the investment
  • Progress status — the status of implementing the treatment plan
  • Residual risk — the risk level after the treatment plan is implemented
  • Risk owner — the individual or group responsible for ensuring that the residual risks remain within the tolerance level

Step 7: Determine and prioritize risks

Using a risk matrix, each risk scenario can be classified. If the risk of a SQL injection attack were considered “Likely” or “Highly Likely”, a risk scenario would be classified as “Very High.”

Any scenario that is above the agreed-upon tolerance level should be prioritized for treatment to bring it within the organization’s risk tolerance level. There are three ways of doing this:

  1. Avoid. If the risk outweighs the benefits, discontinuing an activity may be the best course of action if it means no longer being exposed to it.
  2. Transfer. Share a portion of the risk with other parties through outsourcing certain operations to third parties such as DDoS mitigation, or purchasing cyber insurance. First-party coverage generally only covers the costs incurred due to a cyber event such as informing customers about a data breach, while third-party coverage would cover the cost of funding a settlement after a data breach along with penalties and fines. What it will not cover are the intangible costs of loss of intellectual property or damage to brand reputation.
  3. Mitigate. Deploy security controls and other measures to reduce the Likelihood and/or Impact and therefore the risk level to within the agreed risk tolerance level. Responsibility for implementing the measures to reduce unacceptably high risks should be assigned to the appropriate team. Dates for progress and completion reports should also be set to ensure that the owner of the risk and the treatment plan are kept up to date.

However, no system or environment can be made 100% secure, so there is always some risk left over. This is called residual risk and must be formally accepted by senior stakeholders as part of the organization’s cybersecurity strategy.

Step 8: Set security controls

Next, define and implement security controls. Security controls will help you manage potential risks so they are eliminated, or the chance of them happening is significantly reduced.

Controls are essential for every potential risk. That said, they require the entire organization to implement them and ensure the risk controls are continuously carried out.

Examples of controls include:

  • Network segregation
  • At-rest and in-transit encryption
  • Anti-malware, anti-ransomware, and anti-phishing software
  • Firewall configuration
  • Password protocols
  • Multi-factor authentication
  • Workforce training
  • Vendor risk management program

Step 9: Monitor and review effectiveness

Organizations have relied on penetration testing and periodic audits to establish and assure IT security. But as malicious actors keep changing tactics, your organization must adjust its security policies and maintain a risk management program that monitors the IT environment for new cybersecurity threats.

Risk analysis needs to be flexible, too. For example, as part of the risk mitigation process, you must consider your response mechanisms to maintain a robust cybersecurity profile.

References

0 Shares:
Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like