Ensuring complete protection against cyber criminals can be a virtually impossible task, but organisations can give themselves the best chance of avoiding an attack by performing regular IT risk assessments. The current threat landscape is a turbulent one and assessing risk management processes to ensure they address an organisations specific challenges should be a priority. Once the biggest risks have been identified, implementing the optimal level of security addressing the specific needs of the business can begin, says Michael Aminzade, vice president of Global Compliance and Risk Services at Trustwave.
The end result of performing an information security risk assessment is to identify where the biggest deficiencies are and develop a plan which acknowledges them and can work to mitigate the threats. A clear understanding of a business’s goals is necessary before beginning a risk assessment. Potential threats, likelihood of compromise and the impact of a loss need to be initially established. Conducting in-depth interviews with senior management, IT administrators and stakeholders involving all aspects of the organisation can help to determine where any gaps in security are.
The classic CIA triad – confidentiality, integrity and availability – is often used as the basis for conducting an assessment and is a useful guidance model for cyber security. A good balance between the triad can be difficult to achieve – a focus on availability is likely to compromise confidentiality and integrity, while too much of an emphasis on confidentiality or integrity will also likely impact availability.
Once a thorough assessment has taken place, the next step is to determine which security controls are best suited to mitigate business risk. These can include a combination of technology, policy, process and procedure.
Risk assessment frameworks
When undertaking a security risk assessment there are a number of security frameworks which you can choose to aid you. The five most common ones are ISO 27000x Series, OCTAVE, COBIT, NIST 800-53 and NIST Cybersecurity Framework. Of the five frameworks, NIST (the National Institute of Standards and Technology) has emerged as the most favoured one, with businesses, educational institutions and government agencies using it regularly.
NIST is a unit of the US Commerce Department and has produced the guidance documents free of charge. The Cybersecurity Framework (CSF) was designed to help organisations of all sizes and any degree of cyber security sophistication apply best practice of risk management.
The framework is comprised of three components: framework profile, framework core and framework implementation tiers. The framework is designed to be flexible and can be used alongside other cybersecurity risk management processes, such as ISO (International Organisation for Standardisation) standards, as such it is relevant to risk assessments outside of the US too.
NIST 800-53 was designed to support compliance with the U.S. Federal Information Processing Standards (FIPS) and is the predecessor of the NIST Cybersecurity Framework (CSF). This special publication provides organisational officials with evidence about effectiveness of implemented controls, indications of quality of risk management processes used and information regarding the strengths and weaknesses of information systems.
With the commercialisation of cybercrime, many organisations are making the shift from pure compliance to a much broader risk-mitigation and data protection strategy. The risk assessment methodology has always addressed the entire supply chain and not just internal systems. However, recently we are seeing more of a focus on assessing the risks of third party vendor access to internal systems too.
Similarly, the BYOD (bring you own device) trend has led to a greater need for focus on endpoint security and the consideration of the impact of endpoints to an organisations risk profile. With the added complexity, it is worth considering the benefits of working with a managed security services provider (MSSP). Their extensive knowledge and experience can help organisations understand how best to secure an ever-expanding network.
When developing a risk assessment model, it is essential that you have senior management’s support, and they must understand and either accept the risks which are inherent to the organisation or have a plan to mitigate them and bring the risk posture back in line with the organisations expected levels.
Ideally, the CISO or CIO should be overseeing the risk assessment schedule and findings as well as any remediation plans and provide regular updates to the rest of the executive management, but all employees need to be reminded that they also share the responsibility when it comes to the security of the business.
Training should be provided on how to recognise risks such as malicious emails and what the procedure is if they suspect that they identified one. Ultimately, businesses need to acknowledge that there is no such thing as perfect security, and the goal should be to have the optimum level of security for the organisation.
Setting up and risk framework and undertaking IT risk assessments will help to identify the appropriate level of security for your organisation. Once the weaknesses have been identified, they can be addressed, keeping your business as safe as possible.
When combining risk assessment with security maturity assessments allows an organisation to build an investment strategy for a security road map as well as demonstrate the return to the business on the approved investment.
The author of this blog is Michael Aminzade, vice president of Global Compliance and Risk Services at Trustwave