Cybersecurity risk assessments assist public safety organizations in understanding cyber risks to their operations (e.g., mission, functions, critical service, image, reputation), organizational assets, and individuals.<\/p>
By conducting cyber risk assessments, public safety organizations may experience a multitude of benefits. These include meeting operational and mission needs, improving overall resiliency and cyber posture, and meeting cyber insurance coverage requirements. It is recommended that organizations conduct cyber risk assessments regularly, based on their operational needs, to assess their security posture. <\/p>
By conducting the assessments, organizations establish a baseline of cybersecurity measurements, and such baselines could be referenced to or compared against future results to further improve overall cyber posture and resiliency and demonstrate progress. These assessments could be conducted with internal resources or with external assistance. <\/p>
For instance, organizations may conduct a review of vulnerabilities based on internal logging and audits of their internet-facing networks.<\/p>
A cybersecurity\u00a0risk assessment\u00a0evaluates the threats to your organization\u2019s IT systems and data, as well as your capacity to safeguard those assets from cyber attacks.<\/p>
Organizations can (and should) use a cybersecurity risk assessment to identify and prioritize opportunities for improvement in existing information security programs. A risk assessment also helps companies to communicate risks to stakeholders and to make educated decisions about deploying resources to mitigate those security risks.<\/p>
A cybersecurity risk assessment requires an organization to determine its key business objectives and identify the information technology assets that are essential to realizing those objectives. It’s then a case of\u00a0identifying cyber attacks\u00a0that could adversely affect those assets, deciding on the likelihood of those attacks occurring, and the impact they may have; in sum, building a complete picture of the threat environment for particular business objectives. <\/p>
This allows stakeholders and security teams to make informed decisions about how and where to implement security controls to reduce the overall risk to one with which the organization is comfortable.<\/p>
First, you must align the organization\u2019s\u00a0information security and cybersecurity\u00a0goals with its business objectives. That means you will need to get input from across the enterprise about how each function uses data and IT systems, to assess and evaluate your cybersecurity risk exposure. <\/p>
Consider the following activities as part of your initial preparation for your risk assessment.<\/p>
You should think about all the scenarios that threaten the safety of your customer and employee data and the function of your products and services. Hackers can bypass security measures to gain unauthorized access, bypass mechanisms and exploit vulnerabilities to steal or modify critical data assets, or run rogue programs inside your IT infrastructure.<\/p>
Once you have a handle on your potential threats, you can better scrutinize each part of your IT infrastructure for vulnerabilities across software and hardware. Identifying these vulnerabilities requires diligence and thorough examination, always keeping in mind your contractual obligations and regulatory compliance obligations.<\/p>
Once you have identified the weaknesses in the organization, you should determine the likelihood and potential severity of each risk. This helps you understand which risks are most serious and therefore should get first priority when remediating your security weaknesses.<\/p>
Begin by assembling a team with the right qualifications. A cross-departmental group is crucial to identify cyber threats ( from inside and outside your organization) and mitigate the risks to IT systems and data. The risk management team can also communicate the risk to employees and conduct incident response more effectively.<\/p>
At a minimum, your team should include the following:<\/p>
Your risk management team should catalog all your business\u2019s information assets. That includes your IT infrastructure, as well as the various software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) solutions used throughout the company. It also includes the data that those systems process.<\/p>
To understand the types of data your company collects, stores, and transmits, as well as the locations involved, ask these questions:<\/p>
A risk assessment starts by deciding what is in the scope of the assessment. It could be the entire organization, but this is usually too big an undertaking, so it is more likely to be a business unit, location or a specific aspect of the business, such as payment processing or a web application. <\/p>
It is vital to have the full support of all stakeholders whose activities are within the scope of the assessment as their input will be essential to understanding which assets and processes are the most important, identifying risks, assessing impacts and defining risk tolerance levels. You may need a third party specializing in risk assessments to help you through what is a resource-intensive exercise.<\/p>
Everyone involved should be familiar with the terminology used in a risk assessment, such as likelihood and impact so that there is a common understanding of how the risk is framed.\u00a0For those who are\u00a0unfamiliar with\u00a0cybersecurity concepts,\u00a0ISO\/IEC TS 27100\u00a0provides a useful overview.\u00a0<\/p>
Before undertaking a risk assessment, it is well worth reviewing standards like ISO\/IEC 27001 and frameworks such as\u00a0NIST SP 800-37<\/a>\u00a0and\u00a0ISO\/IEC TS 27110<\/a>. These can help guide organizations on how to assess their information security risks in a structured manner and ensure mitigating controls are appropriate and effective.<\/p> Various standards and laws such as HIPAA, Sarbanes-Oxley, and\u00a0PCI DSS\u00a0require organizations to complete a formalized risk assessment and often provide guidelines and recommendations on how to complete them. However,\u00a0avoid a compliance-oriented, checklist approach\u00a0when undertaking an assessment, as simply fulfilling compliance requirements doesn’t necessarily mean an organization is not exposed to any risks.<\/p> Some types of information are more critical than others. Not all vendors are equally secure. So once you\u2019ve identified the information assets, it\u2019s time to assess their risks and the enterprise.<\/p> The risk assessment process considers risks to the information assets and what harm breaches of each might cause to the enterprise. That includes harm to business reputation, finances, continuity, and operations.<\/p> Risk analysis assigns priority to the risks you\u2019ve listed. For each risk, give a score based on the following:<\/p> To establish your risk tolerance level, multiply the probability by the impact. Then, for each risk, determine your response: accept, avoid, transfer, or mitigate.<\/p> For example, a database containing public information might have few security controls, so the probability of a breach might be high. On the other hand, the damage would be low since the attackers would only be grabbing information that\u2019s already publicly available. So you might be willing to accept the security risk for that particular database because the impact score is low, despite the high probability of a breach.<\/p> Conversely, suppose you\u2019re collecting financial information from customers. In that case, the probability of a breach might be low, but the harm from such a breach could be severe regulatory penalties and a battered corporate reputation. So you may decide to mitigate these high-risk scenarios by taking out a cybersecurity insurance policy.<\/p> Now it is time to determine the impact of the risk on the organization if it did happen. <\/p> In a cybersecurity risk assessment, risk likelihood — the probability that a given threat is capable of exploiting a given vulnerability — should be determined based on the discoverability, exploitability and reproducibility of threats and vulnerabilities rather than historical occurrences. This is because the dynamic nature of cybersecurity threats means\u00a0likelihood<\/em>\u00a0is not so closely linked to the frequency of past occurrences like flooding and earthquakes are for example.<\/p> Ranking likelihood<\/em> on a scale of 1: Rare to 5: “Highly Likely,” and impact<\/em> on a scale of 1: Negligible to 5: “Very Severe,” makes it straightforward to create the risk matrix illustrated below in Step 4.<\/p> Impact refers to the magnitude of harm to the organization resulting from the consequences of a threat exploiting a vulnerability. The impact on\u00a0confidentiality, integrity and availability should be assessed in each scenario with the highest impact used as the final score. This aspect of the assessment is subjective, which is why input from stakeholders and security experts is so important. <\/p> It’s important to document all identified risk scenarios in a\u00a0risk register. This should be regularly reviewed and updated to ensure that management always has an up-to-date account of its cybersecurity risks. It should include:<\/p> Using a risk matrix, each risk scenario can be classified. If the risk of a SQL injection attack were considered “Likely” or “Highly Likely”, a risk scenario would be classified as “Very High.”<\/p> Any scenario that is above the agreed-upon tolerance level should be prioritized for treatment to bring it within the organization’s risk tolerance level. There are three ways of doing this:<\/p> However, no system or environment can be made 100% secure, so there is always some risk left over. This is called residual risk and must be formally accepted by senior stakeholders as part of the organization’s cybersecurity strategy.<\/p> Next, define and implement security controls. Security controls will help you manage potential risks so they are eliminated, or the chance of them happening is significantly reduced.<\/p> Controls are essential for every potential risk. That said, they require the entire organization to implement them and ensure the\u00a0risk controls\u00a0are continuously carried out.<\/p> Examples of controls include:<\/p> Organizations have relied on penetration testing and\u00a0periodic audits\u00a0to establish and assure IT security. But as malicious actors keep changing tactics, your organization must adjust its security policies and maintain a\u00a0risk management program\u00a0that monitors the IT environment for new cybersecurity threats.<\/p> Risk analysis needs to be flexible, too. For example, as part of the risk mitigation process, you must consider your response mechanisms to maintain a robust cybersecurity profile.<\/p>Step 3: Assess the\u00a0risk<\/strong><\/h3>
Step 4: Analyze the\u00a0risk<\/strong><\/h3>
Step 5: Determine potential impact<\/strong><\/h3>
Step 6: Document all risks<\/strong><\/h3>
Step 7: Determine and prioritize risks<\/strong><\/h3>
Step 8: Set security\u00a0controls<\/strong><\/h3>
Step 9: Monitor and review\u00a0effectiveness<\/strong><\/h3>
Recommended Articles <\/strong><\/span><\/h2>
References<\/strong><\/span><\/h2>