Information Security Risk Assessments

IT Risk Assessments

First, it’s important to recognize that IT risk assessments can be conducted at a business level or for category-specific areas, such as information security. This document speaks more specifically to the information security category, although we recommend that everyone conduct an overall business risk assessment.

A risk assessment begins with identifying your valuable business assets and what unwanted events might affect them. For example, you might host a web page selling your products using a server. If over 10% of your gross business profits flow through the website, we consider the server a valuable business asset. Events that might negatively affect the server and interrupt business revenue flow may include natural disasters, theft, hacking or malware, and even insider threats (malicious or accidental).

A risk assessment also considers how likely unwanted events might occur and recommends defensive actions based on that likelihood. For example, if an earthquake destroys the example server about every 500 years, guarding against that destruction might not be a high priority. However, if a hacker is expected to render the example server inoperable once every six months (on average), it becomes a much higher priority to guard against hackers.

A risk assessment is normally performed because businesses have limited resources for time and money. Because guarding against all risks is generally cost-prohibitive, it’s important to know how to prioritize efforts to address those risks that are most likely/costly and will have a larger impact on business operations. Therefore, the main purpose of a risk assessment is to develop a list of mitigation priorities that match your business’s budget and resource availability.

What Kinds of Risk Assessments Are There?

Risk assessments usually only differ by scope or the number of areas covered by the risk assessment. A general information security risk assessment is designed to assess how mature your security controls are compared to common industry frameworks such as CIS Top 18 or NIST CSF. Risk assessments can also be conducted for targeted areas, such as for business continuity/disaster recovery, and are generally designed to assess how much risk exists considering currently applied security controls. Targeted risk assessments may also be conducted when doubtful risk has been considered for all in-scope systems.

Security audits are different from risk assessments. A risk assessment evaluates security controls applied to reduce risk. A security audit is a risk assessment with additional effort added to confirm that applied security controls are operating as intended. This additional effort offers the highest assurance that appropriate security is in place for protecting assets and reducing risk.

Security certifications are different than risk assessments. Certifications are sponsored by various organizations and always involve some form of independent security audit to verify compliance with their security framework. The security audit is followed by the auditor reporting the results to the sponsoring organization in an approved format to finalize the certification process. Security certifications are used in many industries to recognize a business has reached a standard for information security that does not need to be re-verified. A popular example of a security certification is a SOC 2 Type 2 certification which is used to verify data center operations are using best-practice security controls.

How Do I Perform a Risk Assessment?

Risk assessments may be conducted by internal resources or contracted by an external evaluator. If a partner organization asks about the results of your most recent risk assessment, they are much more likely to be satisfied with an external evaluation than an internal evaluation. We recommend that organizations begin by conducting internal risk assessments and contracting an external evaluator to confirm the accuracy by performing an independent assessment.

Conducting a risk assessment follows basic auditing steps:

1. Establish the scope of the evaluation.
2. Ensure all assets and resources that are within scope are identified and considered.
3. Identity all assets above a pre-determined threshold for business importance. (Most organizations recognize their assets are interconnected and choose to review security controls for all assets within a given scope.)
4. Identify security controls protecting in-scope assets.
5. Identify possible threats to in-scope assets.
6. Determine the probability a threat will result in a risk being realized (also considering current security controls that are functioning properly).
7. Use the value of the resources and the
8. Use the value of the resource(s) and the threat probability to determine the risk to the resource(s).

Note that using a security framework for reference while conducting a risk assessment can be very helpful to ensure key elements of security are not missed.

How Do I Use a Risk Assessment?

Risk assessments are used for a variety of purposes:

1. Continuous Improvement Most people recognize that the pace of technology change in today’s environment remains high. With the ever-growing list of vulnerabilities and threats in the marketplace, risk assessments can be an important opportunity to evaluate how a security team is doing and to identify the next steps for maintaining good security.
2. Regulatory Compliance Many industries are regulated or contractually obligated to maintain good security. Examples include businesses that take credit cards (PCI), healthcare and health insurance industries (HIPAA), businesses that deal with personally identifiable information (PII/Privacy law), the Department of Defense (CMMC), and many others. A risk assessment or security audit is often required to maintain compliance with current requirements.
3. Partner Verification Companies are realizing their security doesn’t just depend on their own efforts, but their security also depends on the efforts of their partners. The demand for partner-to-partner security verification has grown exponentially in the last 5 years. Many partners will require some assurance your security controls are appropriate before sharing sensitive data or providing access to sensitive systems. A comprehensive independent risk assessment can satisfy this need. You can also take the next step and obtain a security certification such as ISO 27001, SOC 2, HITRUST, or CMMC Compliance.

Contact Us

Risk assessments and security audits are an essential tool in today’s marketplace. Whether you’re using this valuable tool for peace of mind that your security is adequate or have discovered a certification to be an essential portal to conducting business with a business sector, there are many reasons to verify you have all the right pieces in place to defend the high-risk areas of your business. For additional information, click here to contact us.