Truvantis Blog

How to Actually Use Your Security Risk Assessment Report

Written by Andy Cottrell | Mar 18, 2020 9:05:01 PM

You just received the results from your security risk assessment, but now what? It’s not uncommon for companies to perform this analysis only to check the compliance checkbox and never do anything with the results.

Don’t just file your risk assessment away. Use this wealth of knowledge to improve your security. Assuming the assessment was performed well, there should be  substantial value to be found in your report when used to its full potential. 

Here are a few ways to use your risk assessment report to its full advantage: 

1. Distribute the report throughout the chain of command.

Once you get the results, don’t make one person responsible for digging through the data. Not only can the results be intimidating for one person to digest alone, but there are likely risks that need executive approval to address.

Hand your results over to your chain of command, or the executives who can directly influence the changes outlined on the assessment. Risks will likely be found within multiple departments internally, as well as through vendors or suppliers. These executives will know which people and processes to focus on, or at least identify the risk owner and know which manager to assign the job to. s on, or at least identify the risk owner and know which manager to assign the job to. Remember that much of the Risk Assessment report is sensitive information and should be treated as need-to-know distribution only.

2. Stick to a consistent assessment methodology and risk register format to track metrics year-over-year.

If you perform risk assessments every year, it’s important to stick to a consistent format for tracking your changes. Your risk register ranks all your potential risk scenarios by priority with a “risk score”— and consistency around your scenarios and probabilities will ensure that you can rank them appropriately by importance, as well as to help you to measure your improvement over time.

For instance, maybe Year #1 your risk score was set on a probability scale of 1-10, but then Year #2 a different assessor ranks them from 1-8. If one vulnerability and potential threat was scoring a .2 on the first report, that would be a 20% chance of occurring. On the second assessment, however, these percentages wouldn’t match in an “apples to apples” standard. 

A lack of consistency in ranked importance and even the way you measure the impact of damage would make it harder to match your data, and ultimately, to gauge your success year-over-year. 

3. Focus on the risk treatment plan. 

The risk register you receive should have an associated treatment plan detailing how to address your risks. The treatment plan will list the potential impact of neglecting to address a potential risk. If it’s a quantitative risk assessment vs. a qualitative assessment, it’ll “quantify” the impact of the risk in terms of cost to the enterprise. Some reports detail the severity, complexity and expertise needed (like internal vs external resources), etc.

With your risk treatment plan in hand, you’ll have all of your suggestions spelled right out so that you can decide how each risk should be addressed. 

4. Be proactive with your takeaways.

After reviewing your risk treatment plan, do something with those suggestions. Scheduling internal meetings with key stakeholders, subject matter experts and system owners about how to address each risk. This may include validating which risks you’ll mitigate, avoid, transfer or accept. 

The idea is, you’re not waiting until after the threat has exploited the vulnerability to address the problem; you’re using the data to proactively reduce your risk before it becomes an issue.

5. Outline clear next steps.

Make concrete decisions about what is going to be done based on the data you’ve collected from your risk assessment. Each threat/vulnerability pair should now have a plan of “attack,” even if the plan is to accept the risk for now. 

Create a clear timeline and spell out the steps for your SMEs or whoever is responsible for making any changes. Don’t forget to schedule follow-up meetings to hold your team accountable for completing their end on time and on budget. 

Get Even More Value Out of Your Report

Risk assessments can seem too complicated to actually use, but they don’t have to be.  

The right risk assessor should be able to help you digest your results so that you have clear next steps for mitigating your risk. 

Here at Truvantis®, our IT security experts are here to make it easy. Contact us today.