Evaluating your IT risk – how and why

Michael Aminzade of Trustwave

Ensuring complete protection against cyber criminals can be a virtually impossible task, but organisations can give themselves the best chance of avoiding an attack by performing regular IT risk assessments. The current threat landscape is a turbulent one and assessing risk management processes to ensure they address an organisations specific challenges should be a priority. Once the biggest risks have been identified, implementing the optimal level of security addressing the specific needs of the business can begin, says Michael Aminzade, vice president of Global Compliance and Risk Services at Trustwave.

The end result of performing an information security risk assessment is to identify where the biggest deficiencies are and develop a plan which acknowledges them and can work to mitigate the threats. A clear understanding of a business’s goals is necessary before beginning a risk assessment. Potential threats, likelihood of compromise and the impact of a loss need to be initially established. Conducting in-depth interviews with senior management, IT administrators and stakeholders involving all aspects of the organisation can help to determine where any gaps in security are.

The classic CIA triad – confidentiality, integrity and availability – is often used as the basis for conducting an assessment and is a useful guidance model for cyber security. A good balance between the triad can be difficult to achieve – a focus on availability is likely to compromise confidentiality and integrity, while too much of an emphasis on confidentiality or integrity will also likely impact availability.

Once a thorough assessment has taken place, the next step is to determine which security controls are best suited to mitigate business risk. These can include a combination of technology, policy, process and procedure.

Risk assessment frameworks

When undertaking a security risk assessment there are a number of security frameworks which you can choose to aid you. The five most common ones are ISO 27000x Series, OCTAVE, COBIT, NIST 800-53 and NIST Cybersecurity Framework. Of the five frameworks, NIST (the National Institute of Standards and Technology) has emerged as the most favoured one, with businesses, educational institutions and government agencies using it regularly.

NIST is a unit of the US Commerce Department and has produced the guidance documents free of charge. The Cybersecurity Framework (CSF) was designed to help organisations of all sizes and any degree of cyber security sophistication apply best practice of risk management.

The framework is comprised of three components: framework profile, framework core and framework implementation tiers. The framework is designed to be flexible and can be used alongside other cybersecurity risk management processes, such as ISO (International Organisation for Standardisation) standards, as such it is relevant to risk assessments outside of the US too.

NIST 800-53 was designed to support compliance with the U.S. Federal Information Processing Standards (FIPS) and is the predecessor of the NIST Cybersecurity Framework (CSF). This special publication provides organisational officials with evidence about effectiveness of implemented controls, indications of quality of risk management processes used and information regarding the strengths and weaknesses of information systems.

Best practice

With the commercialisation of cybercrime, many organisations are making the shift from pure compliance to a much broader risk-mitigation and data protection strategy. The risk assessment methodology has always addressed the entire supply chain and not just internal systems. However, recently we are seeing more of a focus on assessing the risks of third party vendor access to internal systems too.

Similarly, the BYOD (bring you own device) trend has led to a greater need for focus on endpoint security and the consideration of the impact of endpoints to an organisations risk profile. With the added complexity, it is worth considering the benefits of working with a managed security services provider (MSSP). Their extensive knowledge and experience can help organisations understand how best to secure an ever-expanding network.

When developing a risk assessment model, it is essential that you have senior management’s support, and they must understand and either accept the risks which are inherent to the organisation or have a plan to mitigate them and bring the risk posture back in line with the organisations expected levels.

Ideally, the CISO or CIO should be overseeing the risk assessment schedule and findings as well as any remediation plans and provide regular updates to the rest of the executive management, but all employees need to be reminded that they also share the responsibility when it comes to the security of the business.

Training should be provided on how to recognise risks such as malicious emails and what the procedure is if they suspect that they identified one. Ultimately, businesses need to acknowledge that there is no such thing as perfect security, and the goal should be to have the optimum level of security for the organisation.

Setting up and risk framework and undertaking IT risk assessments will help to identify the appropriate level of security for your organisation. Once the weaknesses have been identified, they can be addressed, keeping your business as safe as possible.

When combining risk assessment with security maturity assessments allows an organisation to build an investment strategy for a security road map as well as demonstrate the return to the business on the approved investment.

The author of this blog is Michael Aminzade, vice president of Global Compliance and Risk Services at Trustwave

Comment on this article below or via Twitter: @IoTNow OR @jcIoTnow


9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more

Infineon and Rainforest Connection create real-time monitoring system to detect wildfires

Posted on: October 22, 2021

Munich and San Jose, California, 21 October, 2021 – Infineon Technologies AG a provider of semiconductors for mobility, energy efficiency and the IoT, announced a collaboration with Rainforest Connection (RFCx), a non-profit organisation that uses acoustic technology, Big Data and Artificial Intelligence / Machine Learning to save the rainforests and monitor biodiversity.

Read more

Infineon simplifies secure IoT device-to-cloud authentication with CIRRENT Cloud ID service

Posted on: October 21, 2021

Munich, Germany. 21 October 2021 – Infineon Technologies AG launched CIRRENT Cloud ID, a service that automates cloud certificate provisioning and IoT device-to-cloud authentication. The easy-to-use service extends the chain of trust and makes tasks easier and more secure from chip-to-cloud, while lowering companies’ total cost of ownership. Cloud ID is ideal for cloud-connected product companies

Read more