If you ever purchased a “one-size-fits-all” item of clothing, you know that it’s never really going to fit everyone. Some people are too shirt and others too tall. Most cybersecurity standards and regulatory requirements recognize the same limitations apply to cybersecurity. Multinational corporations have different needs when compared to small and mid-sized organizations. Often, starting the risk assessment process is more difficult than engaging in the overarching risk management process. Breaking it into smaller pieces, however, makes it more manageable and less daunting.
Cyber Security Risk Assessment Methodology
Step 1: Create a Risk Management Team
Even though you’re a cyber superhero, you’re not omnipotent. In other words, you need to form alliances within the organization to help you gain insight into the organization’s total risk profile.
Each department uses different platforms and enablements. While you may have a “good idea” as to what they’re using, creating a cross-functional team not only allows you to communicate risk but also ensures a holistic analysis.
Your team should, at a minimum, include:
- Senior Management: to prove oversight
- Chief Information Security Officer: to review network architecture
- Privacy Officer: to locate personally identifiable information
- Marketing: to discuss information collected and stored
- Product Management: to ensure product security throughout the development cycle
- Human Resources: to give insight into employee personally identifiable information
- Manager for Each Major Business Line: to cover all data across the enterprise
The risk-based approach starts with understanding and aligning business objectives to information security goals. Therefore, you need to need cross-functional input.
Step 2: Catalog Information Assets
Another reason that establishing an inter-department risk management team matters is ensuring that you catalog all information assets. You know what your organization collects, stores, and transfers, but you may not have full insight into all the different Software-as-a-Serice (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) that other departments use.
Equally important, other departments may not recognize that they’re using SaaS vendors who can put information at risk. Third-party vendors remain a significant data breach risk. As such, you need to ask questions that help you understand the different types of data your company collects, stores, and transmits as well as the locations involved:
- What are the kinds of information departments are collecting?
- Where are they storing that information?
- Where are they transmitting that information?
- Where are they collecting that information?
- What are the vendors each department uses?
- What information do those vendors access?
- What are the authentication methods used for information access?
- Where are the physical locations where the organization stores information?
- What devices do workforce members use?
- Are there remote workforce members accessing information?
- How are remote workforce members accessing information?
- What networks transmit information?
- What databases store information?
- What servers collect, transmit, and store information?
Step 3: Assess Risk
Not all information is equal. You know that some information is more critical than other information. Also, not all vendors are equally secure. Once you identify all your information assets, you need to look at the risks that the information and vendors pose.
- What systems, networks, and software are critical to business operations?
- What information needs to have availability, confidentiality, and integrity maintained?
- What personally identifiable information do you store, transmit, or collect that needs to be anonymized in the event encryption fails?
- What devices are most at risk of data loss?
- What is the potential for data corruption?
- What are the systems, networks, and software that cybercriminal might target for a data breach?
- What is the potential reputation risk arising from a data breach?
- What is the potential financial risk arising from a data breach?
- What is the potential business operation risk arising from a cybersecurity event?
- Do you have a business continuity plan that enables you to get back to business rapidly?
The risk assessment process takes your information asset catalog and looks at all the potential locations that cybercriminals might try to access. Therefore, you need to look at every type of information, vendor, system, network, software, and device to determine the risk it poses. You also need to think about the impact that a data event can have on business reputation, finances, continuity, and operations.
Step 4: Analyze Risk
Analyzing risk takes the assessment an extra step. Just like not all information needs to be secured equally, not all risks are equal. Thus, you need to think about:
- Probability: The likelihood of a cybercriminal obtaining access to the information.
- Impact: The financial, operational, and reputational impact that the data event can have on your organization.
By multiplying probability by impact, you can set your risk tolerance level. Defining your risk tolerance means deciding whether to accept, transfer, mitigate, or refuse a risk.
For example, a database containing public information such as the definition of NIST or NY DFS requirements might have few controls securing it, thus making it a high risk. However, if a cybercriminal only grabbed that information or other publicly available information, the impact would be low. In the analysis, therefore, you might be willing to accept the information security risk since despite the high probability the impact is low.
On the other hand, if you’re collecting financial information from customers, the probability might be low, but the impact could be devastating to both finances and reputation. Thus, you may want to transfer this risk by finding a vendor to support your business objectives.
Step 5: Set Security Controls
After deciding the level of risk you’re willing to accept, you need to define security controls. Some controls include:
- Network segregation
- At-rest and in-transit encryption
- Anti-malware and anti-ransomware software
- Firewall configuration
- Password protocols
- Multifactor authentication
- Workforce training
- Vendor risk management program
Although this is a short list of some controls, it also gives you an idea as to how to think about setting controls. For example, if you create a series of security controls that you think adequately protect your infrastructure, then you want to ensure, as part of your vendor risk management program, your third-party business partners also align with your information security stance.
Step 6: Monitor and Review Effectiveness
For a long time, audits were considered a primary review mechanism for ensuring IT security. Unfortunately, as malicious actors continually evolve their methodologies to thwart security controls, organizations need to maintain a risk management program that continuously monitors their IT environments for new threats.
Moreover, your risk analysis needs to be flexible and able to adjust to these new threats. For example, as part of the risk mitigation process, you need to think about your response mechanisms so that you can maintain a robust cybersecurity profile.
How ZenGRC enables the risk process
ZenGRC allows you to prioritize tasks so that everyone knows what to do and when to do it so that you can more rapidly review the “to do” lists and “completed tasks” lists.
With our workflow tagging, you can assign tasks to the individuals in your organization responsible for the activities involved in risk assessment, risk analysis, and risk mitigation.
Finally, with our audit trail capabilities, you can document remediation activities to prove that you maintained data confidentiality, integrity, and availability as required by law.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.