Evaluating your IT risk – how and why

Michael Aminzade of Trustwave

Ensuring complete protection against cyber criminals can be a virtually impossible task, but organisations can give themselves the best chance of avoiding an attack by performing regular IT risk assessments. The current threat landscape is a turbulent one and assessing risk management processes to ensure they address an organisations specific challenges should be a priority. Once the biggest risks have been identified, implementing the optimal level of security addressing the specific needs of the business can begin, says Michael Aminzade, vice president of Global Compliance and Risk Services at Trustwave.

The end result of performing an information security risk assessment is to identify where the biggest deficiencies are and develop a plan which acknowledges them and can work to mitigate the threats. A clear understanding of a business’s goals is necessary before beginning a risk assessment. Potential threats, likelihood of compromise and the impact of a loss need to be initially established. Conducting in-depth interviews with senior management, IT administrators and stakeholders involving all aspects of the organisation can help to determine where any gaps in security are.

The classic CIA triad – confidentiality, integrity and availability – is often used as the basis for conducting an assessment and is a useful guidance model for cyber security. A good balance between the triad can be difficult to achieve – a focus on availability is likely to compromise confidentiality and integrity, while too much of an emphasis on confidentiality or integrity will also likely impact availability.

Once a thorough assessment has taken place, the next step is to determine which security controls are best suited to mitigate business risk. These can include a combination of technology, policy, process and procedure.

Risk assessment frameworks

When undertaking a security risk assessment there are a number of security frameworks which you can choose to aid you. The five most common ones are ISO 27000x Series, OCTAVE, COBIT, NIST 800-53 and NIST Cybersecurity Framework. Of the five frameworks, NIST (the National Institute of Standards and Technology) has emerged as the most favoured one, with businesses, educational institutions and government agencies using it regularly.

NIST is a unit of the US Commerce Department and has produced the guidance documents free of charge. The Cybersecurity Framework (CSF) was designed to help organisations of all sizes and any degree of cyber security sophistication apply best practice of risk management.

The framework is comprised of three components: framework profile, framework core and framework implementation tiers. The framework is designed to be flexible and can be used alongside other cybersecurity risk management processes, such as ISO (International Organisation for Standardisation) standards, as such it is relevant to risk assessments outside of the US too.

NIST 800-53 was designed to support compliance with the U.S. Federal Information Processing Standards (FIPS) and is the predecessor of the NIST Cybersecurity Framework (CSF). This special publication provides organisational officials with evidence about effectiveness of implemented controls, indications of quality of risk management processes used and information regarding the strengths and weaknesses of information systems.

Best practice

With the commercialisation of cybercrime, many organisations are making the shift from pure compliance to a much broader risk-mitigation and data protection strategy. The risk assessment methodology has always addressed the entire supply chain and not just internal systems. However, recently we are seeing more of a focus on assessing the risks of third party vendor access to internal systems too.

Similarly, the BYOD (bring you own device) trend has led to a greater need for focus on endpoint security and the consideration of the impact of endpoints to an organisations risk profile. With the added complexity, it is worth considering the benefits of working with a managed security services provider (MSSP). Their extensive knowledge and experience can help organisations understand how best to secure an ever-expanding network.

When developing a risk assessment model, it is essential that you have senior management’s support, and they must understand and either accept the risks which are inherent to the organisation or have a plan to mitigate them and bring the risk posture back in line with the organisations expected levels.

Ideally, the CISO or CIO should be overseeing the risk assessment schedule and findings as well as any remediation plans and provide regular updates to the rest of the executive management, but all employees need to be reminded that they also share the responsibility when it comes to the security of the business.

Training should be provided on how to recognise risks such as malicious emails and what the procedure is if they suspect that they identified one. Ultimately, businesses need to acknowledge that there is no such thing as perfect security, and the goal should be to have the optimum level of security for the organisation.

Setting up and risk framework and undertaking IT risk assessments will help to identify the appropriate level of security for your organisation. Once the weaknesses have been identified, they can be addressed, keeping your business as safe as possible.

When combining risk assessment with security maturity assessments allows an organisation to build an investment strategy for a security road map as well as demonstrate the return to the business on the approved investment.

The author of this blog is Michael Aminzade, vice president of Global Compliance and Risk Services at Trustwave

Comment on this article below or via Twitter: @IoTNow OR @jcIoTnow

RECENT ARTICLES

Motive and Navistar partner to equip fleet operators with robust vehicle telematics data and insights

Posted on: July 1, 2022

San Francisco, USA. 29 June 2022 – Motive, the specialist in Automated Operations, and Navistar, a manufacturer and solutions provider to the medium-, heavy- and severe-service trucks industry, announced today a strategic partnership and future product integration that will connect Motive’s Automated Operations Platform with Navistar’s OnCommand Connection telematics and Advanced Remote Diagnostics solutions.

Read more

Seamless indoor cellular coverage has earnt its rightful place as a 4th utility

Posted on: July 1, 2022

“Network infrastructure including fibre broadband and Wi-Fi access points are factored into all new building projects from the outset, with mobile coverage infrastructure taking second place. Both should be given equal status in a world driven by tech,” says Colin Abrey of Nextivity.

Read more
FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, home automation using iot is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

5 challenges still facing the Internet of Things

Posted on: June 3, 2020

The Internet of Things (IoT) has quickly become a huge part of how people live, communicate and do business. All around the world, web-enabled devices are turning our world into a more switched-on place to live.

Read more

What is IoT?

Posted on: July 7, 2019

What is IoT Data as a new oil IoT connectivity What is IoT video So what’s IoT? The phrase ‘Internet of Things’ (IoT) is officially everywhere. It constantly shows up in my Google news feed, the weekend tech supplements are waxing lyrical about it and the volume of marketing emails I receive advertising ‘smart, connected

Read more
IoT Newsletter

Join the IoT Now online community for FREE, to receive: Exclusive offers for entry to all the IoT events that matter, round the world

Free access to a huge selection of the latest IoT analyst reports and industry whitepapers

The latest IoT news, as it breaks, to your inbox