6 Steps To Performing a Cybersecurity Risk Assessment

Published February 5, 2019 by 4 min read

There’s no such thing as “one-size-fits-all” cybersecurity. Multinational corporations face different cyber risks than smaller organizations. 

Cybersecurity standards and regulatory requirements recognize that different companies will need to take different approaches to guarding their information systems against potential threats such as unauthorized access to sensitive data and cyberattacks

But data protection, including data risk protection, is essential for large and small businesses with an online presence. To establish a strong defense against cybercrime and elevate your overall security posture, you need a comprehensive information technology security program. The way to start is with a cyber risk assessment.

Also known as vulnerability assessments, cybersecurity risk assessments aren’t easy–and getting started can be the hardest part of the entire risk management process. To help, we’ll take you through the process step by step.

Step 1: Create a Risk Management Team

A cross-departmental team is key to identifying cyber threat sources and mitigating risks to systems and data security organization-wide, communicating risk, and conducting effective incident response.

Your team should, at a minimum, include:

  • Senior management: to prove oversight
  • Chief Information Security Officer: to review network architecture
  • Privacy officer: to locate personally identifiable information, as required by the EU General Data Protection Regulation (GDPR)
  • Compliance officer: to ensure compliance with the National Institute of Standards and Technology‘s Cybersecurity Framework (NIST CSF) the Health Information Portability and Accountability Act (HIPAA), and other security standards
  • Marketing: to discuss the information collected and stored
  • Product management: to ensure product security throughout the development cycle
  • Human resources: to give insight into employee personally identifiable information
  • Manager from each major business line: to cover all data across the enterprise

The risk-based approach starts with understanding and aligning business objectives to information security goals. Therefore, you need cross-functional input.

Step 2: Catalogue Information Assets

Your inter-department risk management team can now work together to catalogue all your business’s information assets, including your network infrastructure and the various Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) solutions used throughout the company.

The assets that your third-party vendors use should be included in your list. Third-party vendors remain a significant data breach risk. 

To understand types of data your company collects, stores, and transmits as well as the locations involved, ask these questions:

  • What kinds of information are departments collecting?
  • Where are they storing that information?
  • To where do they send it?
  • From where are they collecting it?
  • Which vendors does each department use?
  • What access do those vendors have?
  • Which authentication methods, such as multi-factor authentication, do you use for information access?
  • Where, physically, does your company store information?
  • Which devices do workforce members use?
  • Do remote workers access information? How?
  • Which networks transmit information?
  • Which databases store information?
  • Which servers collect, transmit, and store information?

Step 3: Assess Risk

Some information is more critical than other information. Not all vendors are equally secure. Once you’ve identified your information assets, it’s time to assess the risks to them and your enterprise. 

  • Which systems, networks, and software are critical to business operations?
  • What sensitive information needs to have availability, confidentiality, and integrity maintained?
  • What personal information do you store, transmit, or collect that needs to be anonymized in the event encryption fails?
  • Which devices are most at risk of data loss?
  • What is the potential for data corruption?
  • Which systems, networks, and software might cybercriminals target for a data breach?
  • What reputation harm might arise from a security incident?
  • What financial risks do the possibility of a data breach or data leak pose?
  • What business operation risks would stem from a cybersecurity event?
  • Do you have a business continuity plan that enables you to get back to business rapidly?

The risk assessment process considers risks to the information assets in your catalogue, and what harm breaches of each might cause to your enterprise including to business reputation, finances, continuity, and operations.

Step 4: Analyze Risk

Risk analysis assigns priority to the risks you’ve listed. For each risk, assign a score based on: 

  • Probability: The likelihood of a cybercriminal’s obtaining access to the asset
  • Impact: The financial, operational, and reputational impact that a security event might have on your organization

To establish your risk tolerance level, multiply the probability by the impact.

Also, for each risk, determine your response:  accept, avoid, transfer, or mitigate.

For example, a database containing public information such as the definition of NIST or NY DFS requirements might have few controls securing it, thus making it a high risk. However, if a cybercriminal only grabbed that information or other publicly available information, the impact would be low. In the analysis, therefore, you might be willing to accept the information security risk since, despite the high probability, the impact score is low.

On the other hand, if you’re collecting financial information from customers, the probability score might be low, but the impact of a breach could devastate customer finances and your business reputation. You may decide to transfer this “high” risk by finding a vendor to collect the information.

Step 5: Set Security Controls

Next, you need to define security controls. Controls include:

  • Network segregation
  • At-rest and in-transit encryption
  • Anti-malware and anti-ransomware software
  • Firewall configuration
  • Password protocols
  • Multi-factor authentication
  • Workforce training
  • Vendor risk management program

Step 6: Monitor and Review Effectiveness

For many years, organizations relied on penetration testing and periodic audits to establish and ensure their IT security. But as malicious actors continually evolve their methodologies to thwart security controls, your organization needs to adjust its security policies, and maintain a risk management program that continuously monitors your IT environment for new threats.

Your risk analysis needs to be flexible, too. For example, as part of the risk mitigation process, you need to think about your response mechanisms so that you can maintain a robust cybersecurity profile.

Worry-free risk management 

ZenGRC helps you prioritize tasks so that everyone knows what to do and when to do it. Its user-friendly dashboards make it easy to review “to do” and “completed tasks” lists.

Its workflow tagging lets you easily assign tasks for the activities involved in risk assessment, risk analysis, and risk mitigation, and its ServiceNow connector enables two-way communication with that popular workflow application.

When audit time rolls around, ZenGRC’s “Single Source of Truth” audit-trail document repository lets you quickly access the evidence you need of data confidentiality, integrity, and availability as required by law. 

Contact us today for a free consultation, and get started on the path to worry-free risk management–the Zen way.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo