Cyber Security Risk Assessment
What is a Cyber Security Risk Assessment?
A cyber security risk assessment is a review of the organization’s cyber security risks and whether there are adequate controls to address them. It applies to both system and application security as well as governance and policy controls.
Why Risk Assessment is Important
The purpose of a cyber security analysis of this nature is to understand where potential gaps and cyber security risk exist so that mitigation may be prioritized and completed. Additionally, ensuring proper controls are in place provides the basis for routine audits to ensure the organization stays protected.
Information is at the heart of every organization’s business, and some of the information or data stored can be extremely valuable to outsiders. Cyber espionage enables organizations to steal plans and ideas from competitors; cyber terrorism is used to impact governmental operations or steal data instead of the longer route of spying on one another. Data breaches lead to the loss of reputation and sales.
As organizations create their comprehensive information security management practice, they need to manage physical and electronic data access. This practice secures the confidentiality, integrity, and availability of the organization’s data and ensures that they base operations on trustworthy data available when needed. It also ensures their ability to meet data privacy regulations. The cyber security risk assessment and audit process assures the cyber security aspect of this practice.
With GDPR protecting personal identifying information, HIPAA protecting health information and PCI regulations protecting credit card data, organizations must ensure they have appropriate controls over data confidentiality and integrity in place or face stiff financial consequences. Organizations that fail to do so often pay heavy fines and are required to reimburse customers or employees for access to identity theft prevention services when they become the victims of a data breach.
Threat assessment cyber security starts with developing an understanding of the existing risks in the organization and ensuring there are adequate controls in place to address them. By having documented controls, the organization can perform routine cyber security assessments and audits that prove they are taking steps to secure the enterprise, much as financial audits prove they are managing the controls needed to satisfy regulators and investors.
Thus, cyber security threat assessment has become an essential tool to ensure customers and employees that the organization is taking all the proper steps to secure their data, increasing confidence in the organization.
How to Perform the Risk Assessment
A cyber security risk assessment is conducted in much the same way as a financial or computing control audit is performed:
- Create a repeatable process that helps assess the organization’s risk based on known vulnerabilities and threats.
- Document a set of controls to address them.
- Audit against these controls.
Companies considering how to do a cyber security risk assessment can look to existing frameworks, including the following:
- NIST (National Institute of Standards and Technology) Framework for Improving Critical Infrastructure Cyber Security, a free governmental framework.
- HITRUST Critical Security Framework, commercial security framework, incorporating known privacy regulations including the NIST framework and others like COBIT, PCI compliance and HIPAA compliance.
These frameworks and the guidance in regulations like GDPR, HIPAA, and PCI help organizations develop a cyber risk assessment methodology by clarifying the data privacy and cyber security requirements that need to be followed.
Organizations need to develop their own cyber security risk assessment steps that ensure the controls they put in place are adequate and can be routinely audited. A cyber risk assessment practice could include the following steps:
Step 1: Identify the Risks
Understand and identify the risk to the organization regarding people, systems, data, assets, and organizational capabilities and their relation to data security and compliance. This is the heart of the cyber security risk assessment. Within this step, create an inventory of risks including the following:
- Data to be protected and the applications that rely upon it.
- Architecture and infrastructure components used to support critical data and/or operations.
- Known vulnerabilities in the applications and infrastructure that might be used to gain access to the data.
- Other opportunities (i.e., applications) to gain access through social engineering attempts that introduce malicious code.
Two questions can help identify high-risk services and systems when conducting this inventory:
Which systems house the most confidential information? Often the answers include HR systems, product sales websites, financial and planning systems are prime candidates for data theft.
Which systems could bring down the organization most quickly if unavailable? Systems that manage the core business or communications are good candidates for business disruption.
Threat assessment cyber security starts with building this initial inventory of critical systems and data. This inventory also ensures that the information security management practice of the organization is aimed at protecting the data and services most critical to operations, enabling the organization to optimize resources used to protect the organization against cyber-crime.
Step 2: Evaluate the Vulnerabilities
Part of a good cyber security analysis involves understanding the way cyber-criminals would gain access to these critical systems and determining those that apply to the organization’s computing environment:
- Social engineering is aimed at people by enticing them to download software that appears legitimate, clicking on email links that appear important and other actions that introduce malicious code.
- Data, applications and assets operating within a computing architecture that have known vulnerabilities that can be used to gain access.
- Endpoints that can be protected to prevent gaining network access and denial-of-service attacks.
Step 3: Evaluate Risk, Likelihood, and Impact of Item in the Inventory
Create a scoring mechanism that can be used to prioritize each risk, starting with the organizational risk should that item be impacted. Leverage a scoring mechanism that enables each item to be scored and prioritized as high, medium, and low-risk vulnerabilities. Develop operational level agreements for mitigating the risk. For example:
- High-risk items mitigated within 1 week
- Medium-risk items mitigated within 1 month
- Low-risk items mitigated as practical, or risk accepted by the leadership team
This enables IT teams to focus on the most critical items first and establishes controls for infrastructure and applications that can later be audited.
Step 4: Determine and Document Required Controls
Policies and controls help mitigate risk, so beginning with the highest priorities first, the organization needs to implement appropriate controls. Some of the following examples may help build this aspect of the cyber security risk assessment methodology:
- Staff members take required cyber security training programs annually, which include information on ways malicious code could be introduced through their actions.
- Random checks are performed by sending emails that look legitimate but report back to the cyber security team when the staff member clicks on a link.
- Security vulnerability management programs are in place to scan infrastructure and applications for known cyber threats and indicate mitigation strategies that are addressed based on the guidance documented by risk level.
- Items that are not mitigated due to low risk are accepted by an executive of the appropriate authority, for example, the CISO or CIO.
- Penetration tests are conducted annually by a third party to ensure system and application vulnerabilities are appropriately mitigated.
These controls make the critical cyber security risk assessment steps clear to the individuals performing them and help prioritize the work to be done.
Step 5: Audit Against the Controls
Having a cyber security risk assessment program in place is not enough. Routine audits must be performed using the controls as guidance, ensuring they are being carried out. It doesn’t help to have a control that says high-risk vulnerabilities must be addressed within a week if no one ever checks that the control is being observed and if people are not held accountable.
Cyber Security Risk Assessment Checklist
Effective implementation of cyber security risk assessment controls requires an understanding of the practice. Cyber security risk assessment checklists help IT staff understand what they should be doing every day, and cyber security risk assessment templates can be used to ensure routine audits that are repeatable and consistently performed.
Cyber security risk assessment checklist:
The checklist could include the following activities:
- Create the data inventory: Identify all applications and databases housing employee and/or employee banking data, applications, and databases housing customer and/or credit card data as well as applications and databases housing employee or customer health information
- Create the system inventory: Identify systems that are critical to the daily operation of the business
- Document all architecture used to house or operate these items (specific component, model, and version level)
- Discover all known vulnerabilities using a scanning utility that is part of a vulnerability management software suite
- Analyze risk, likelihood, and impact for each item on the inventory
- Prioritize and assign OLAs to each remediation activity
- Mitigate the vulnerabilities, working from high to low
- Arrange and execute routine penetration and denial of service tests
- Conduct routine employee training
- Design and implement tests to ensure employees are compliant with security practices
- Conduct routine audits of the controls
The cyber security risk assessment template should include tests for each of the checklist items and policy controls and can be grouped into areas. For example, a template like the table below, with a third column to document results, could be used.
Employee Awareness Training
Security Incident Management
The combination of a checklist to make daily cyber prevention controls easy to follow with a template that tests these controls provides a repeatable process staff can follow, along with an easy and repeatable way to document results. In this way, the trends can be viewed and assessed overtime to ensure the organization is meeting its cyber security prevention needs.
CG Technologies offers Cyber security assessments that help you to mitigate the risk to your business and IT infrastructure. Find out more.
Leave IT to us
With over 25 years of experience delivering exceptional services to 100’s of companies in the Greater Toronto Area (GTA), CG Technologies are confident we can deliver the same benefits to your organization – keeping you secure, delivering reliable and trusted IT solutions and expertise. Our industry leading strategic IT consulting and IT solutions will allow you to focus on what matters most – your business.