In today’s world, looking for cracks in the security of your organization’s data is critical. After all, cyber-attacks are at an all-time high; major ransomware stories are in the news just about every week. Do you know how safe your organization’s data really is? If you do not, then it’s past time to find out. Conducting an information risk assessment is the answer.
There are several benefits to conducting an assessment:
- Avoid breaches, thereby reducing (or preventing altogether) both financial, operational and reputational costs from security incidents. (Want an idea of how really bad these can be? Check this out.)
- A solid cybersecurity program is a crucial part of the foundation of successful businesses today. An assessment will provide evidence to upper management and/or board that establishes the need for this program.
- Regulatory compliance (e.g., NIST, HIPAA, GDPR)
Before you get started
Here are a few questions to think about before beginning the process:
- What are our organization’s critical IT assets? In other words, what is the data whose loss or exposure would have a major impact on business operations?
- Which parts of your organization use or require that data?
- What types of threats would affect the ability of those parts of the organization to function?
7 steps to an information risk assessment
While every organization is different and faces its own unique set of risks and challenges, following is some general guidance to conducting your own assessment.
Step 1: Set up your team
Put together an interdepartmental Risk Management Team for identifying risks, communicating to employees, and conducting incident responses more effectively and efficiently. Beyond members of your IT Department, other people that should be included in your assessment team are the following:
- Someone from senior management, for oversight
- A person who handles or represents Human Resources, to provide insight into employee’s personally identifiable information
- Managers or representatives from each of your major business or service departments, to make sure all critical data is available for review
Step 2: Catalogue and prioritize all information assets
Work with your team to compile a detailed list of your organization’s information assets. This means your IT infrastructure and also any Software-as-a-Service, Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (Iaas) solutions you utilize. You should include the assets of all third-party vendors and suppliers in your catalogue, as third-party vendors can also pose a significant data breach risk.
First compile a thorough list of assets by answering the following:
- What kinds of information is being collected by each department?
- Where is the information being sent?
- Where are they getting the information (where is it coming from)?
- What vendors are being used, and what is their level of access?
- Physically, were is information stored
- Which devices do employees use?
- How do remote workers access information?
- What networks, databases and servers are used in the collection, transmission and storage of information?
Next, prioritize these assets from most to least valuable. Value can be thought of in terms of monetary value, legal value (including employee and customer/client privacy), reputational value and overall importance to the functioning of the organization.
Step 3: Identify risks
Now that you’ve identified your assets, it’s time to look at the risks to them. Common threats to data safety include unauthorized access (either maliciously or accidental); misuse of information or privilege by an authorized person; data leakage and exposure of information (again, either with malicious intent or by accident); data loss; and disruption of service or productivity.
Step 4: Consider controls
Think about the controls that your organization has in place to help minimize or prevent your data from exploitation. For example, do you use encryption for sensitive data being transmitted? Does your staff use MFA to access information? Do you have security policies in place with incidence response plans in the event there is a data breach or other threat to your information?
Step 5: Analyze Risks
While maybe not the most time-consuming, this can be the most complicated part of any risk assessment. But obviously it is also the most valuable, as it will result in a prioritized list of risks for you to act on. There is more than one way to do this, but both methods factor in the probability (likelihood) that a security incident may occur to a particular risk, and then the impact (consequences) that incident would have on the organization.
Method 1: Scoring
First, you need to come up with a score for the probability, or likelihood that a particular risk will be the target of cybercrime. Then, create a score based on the level of impact that such an incident would have on your organization. Finally, multiply the probability score by the impact score and you have your overall score, which you can now use to prioritize all of your risks.
Method 2: Categorizing
First, categorize the likelihood of each threat in simple levels like high/medium/low, or in more specific, graduated variations of each. Next, categorize the potential consequences the same way. Plot each risk on a matrix, like the one below. Now you can assemble a prioritized lists of which risks to address first, from those that have the highest likelihood of happening and present the most severe impact on down.
Step 6: Develop a roadmap for improvements
Using the results from your scored list or matrix, you can now come up with your prioritized roadmap for defining and implementing security controls. Security controls help you manage your risks by reducing the likelihood of their occurrence or eliminating them altogether. Some examples of controls include:
- Network segregation
- Firewall configuration
- Password and multi-factor authentication policies
- Anti-phishing/malware/ransomware software
- Cybersecurity awareness training for staff
Step 7: Monitor, Review and Adjust regularly
Doing the risk assessment and setting up security controls is an excellent, necessary step toward protecting your organization’s information assets. However, the world of cybercrime is relentlessly evolving. Malicious actors are constantly changing their techniques to find ways to work around your controls. For that reason, it is critical that you regularly monitor and review your IT environment. Penetration testing and regular audits are a part of the equation, but assessment using the steps above needs to be a regular occurrence. Therefore, maintaining a risk management program and team is key to mitigating attacks.
Get the ball rolling!
So there you have it. Some organizations may see this as a daunting, time-consuming process. Or perhaps you think you don’t have enough or the right type of personnel to pull this off on your own. We’re here to help! If you would like more specific guidance on the process, please reach out us either through the comments section, or by sending your questions to firstname.lastname@example.org.