A proper risk assessment is a fundamental start to moving forward with improving your information security posture. Here are some considerations to help you get the most value from your security & privacy risk assessment.
A risk assessment is a process of identifying, analyzing, and evaluating potential risks to an organization, project, or product. It allows an organization to determine the likelihood of potential risks and their impact. It also helps organizations develop strategies to mitigate or avoid those risks.
Who is involved in the risk assessment? You'll need to organize an assessment team. Designate who will fill critical roles such as risk manager, assessment team leader, risk assessors, and any subject matter experts.
Top-level buy-in and support are necessary for your risk assessment and security program to be successful. A proper risk assessment will demonstrate the return on investment (ROI) the company will get on its IT security investments in comprehensive business terms.
It's essential to clearly define the project scope to determine the time and resources you'll need. Equally important, you'll also know what is out-of-scope. Be specific about what you're assessing. Are you assessing a product? An organizational process? A network or data center?
Opening a conversation about flaws and risks in your processes and tools can open the door to company-wide problem-solving. You can define the scope internally or in partnership with an expert, objective opinion on best defining a realistic scope.
What laws, regulations, and internal policies must you comply with?
Determine the laws, regulations, codes, standards, and internal policies to consider when assessing your risk.
What do you have, and what do you need to protect? After listing all your assets, you can focus on the assets you want to include in your risk assessment.
Look for any way your assets could be compromised. Outline any vulnerabilities and potential threats to the security of each. Every vulnerable asset is matched with its potential threat to form a "risk scenario." For instance, a flaw in your website's code is your vulnerability, and the threat is an attacker aiming to exploit said vulnerability.
When thinking about threats to data security, hackers are usually top of mind, but threats to your business's information security come in many different forms. For example, according to the 2022 Verizon Data Breach Report (DBR), leaving portable devices in personal vehicles is a recurring theme in data compromise statistics.
Many attackers are looking for easy targets with large numbers of CVEs to exploit as an opportunistic attack sales funnel.
According to the Verizon DBR, they start with scanning for IPs and open ports. Then they move to crawling for specific services. They then move on to testing for specific Common Vulnerabilities and Exposures (CVE). Finally, they try Remote Code Execution (RCE) to gain access to the system.
The average (median) organizations sampled in 2022 "run a pretty tight ship" security-wise and have relatively few CVEs per host.
Two key questions:
(5x5 Risk Matrix Example)
All information is placed into a "risk register," which lists each risk by category and rank. The risk register has an associated "treatment plan" detailing how to potentially address each risk—for example, to accept, avoid, transfer or remediate.
The risk register and treatment plan rank each threat and vulnerability pair called a risk scenario by its severity, budget requirements, expertise needed (such as internal vs. external consultation), etc., to help you prioritize how and when to address each issue.
According to the 2022 Verizon DBR, over 80% of breaches can be attributed to stolen credentials. There's been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the past four years.
"We have continued to see poor password practices as one of the leading causes of data breaches dating back to 2009. It is particularly disconcerting that so many large breaches stem from the use of default and/or shared credentials, given the relative ease with which these attacks could be prevented." (2009 DBIR page 17)."
"Those who cannot remember the past are condemned to repeat it." – George Santayana
Truvantis® is a cybersecurity consulting organization providing best-in-class cybersecurity services to secure your organization's infrastructure, data, operations, and products.
We specialize in helping our clients improve their cybersecurity posture by implementing, testing, auditing, and operating information security programs.
If you'd like to talk to an expert, we're here to help.
For more information on risk assessments, please download our free white paper,
6 Steps to Get Real Value out of Your Risk Assessment.