As an IT Director, you have a daily task list working through all the security to-do's. It’s easy to assume that a regular security risk assessment is too time-consuming and may lack relevance to your current infrastructure. However, this type of approach is far from the truth.
Why Should I Carry on a Risk Assessment?
Security risk assessments are important because they provide the enterprise a means to determine whether the information security programs and practices they have in place effectively work. Risk assessments will focus on areas that are vulnerable to a breach or attack, such as unprotected data. Further, an assessment can also reveal unauthorized applications or suspicious traffic patterns, some of which may be malicious, while others are simply errors. A risk assessment will push you to proactively alleviate weaknesses before they can be actively exploited.
“This new world dictates first understanding the overall risk tolerance of the organization, which is then used for the risk-based scheduling of ‘regular’ security risk assessments,” says Jeff M. Spivey, a member of ISACA’s Governance Advisory Council and president of Security Risk Management.
How frequently you conduct an assessment is largely a matter of your enterprise’s preferences. But, in some cases, it may be a continuous security risk assessment of specific business risks, using dynamic data flows of key risk indicators (KRI) combined with the understanding of the significance of business impact to the organization, Spivey says.
Companies are reliant on technology and the speed of growth can reveal vulnerabilties in the digital environment. If an organization allows this evolution without the appropriate sizing and frequency of proper security risk assessments, they are undertaking what could be an organizational-ending risk.
What is involved in a Security Assessment?
Organizational structure varies from one business to the next. However, there are some universal ranges to cover: security management controls; auditing and information governance management; regulation compliance; data protection and privacy (ensuring confidentiality, integrity and availability of data); access management; backup, recovery, and mitigation plans for data breaches; and service-level and other customer agreements.
A demonstrated sequence will include the following: process mapping, evaluating possible risks and understanding the likelihood or impact. As part of the assessment, a business will need to understand current organizational standards and controls that are supposed to be in place and their effectiveness. They can then identify risk management issues furthering to future recommendations.
Internal Or Third Party Option?
You can have an in-house team conduct your security risk assessment because there is quite a profusion of free info available online from both IT vendors, government or industry organizations. However, these should not be the only relied upon resources exclusively. Why? One hurdle, for example, is finding employees who are able to help with each process of a risk assessment. Many times, procedures or systems that are in place were originally set-up and managed by someone who may no longer work for the organization.
Down at the department level, employees have knowledge of their immediate duties. However, that doesn’t necessarily provide a full overview of the organization. Meanwhile at the top senior level, there usually is this undefined understanding of “broad plans”, without knowledge into specifics. The combination can create misunderstandings about information security processes and operation through an entire organization.
An overall risk-assessment program will often require “inside know-how combined with outside experience and insight. This combination provides a complete and comprehensive assessment.”
Creating an Action Plan
Understand your business need: A security risk assessment provides a “check-up”, of your existing information security programs and practices. An assessment will identify weak areas and focus on areas where improvements can be made.
Conduct the assessment: Experts agree you can conduct a risk assessment either with in-house or with the assistance of third-party expertise—or both. Ensure that an assessment is spearheaded with knowledgeable people.
Follow-up: Security Assessments will highlight vulnerabilities and areas where improvements can be made. Next, address those areas. A single assessment doesn’t necessarily mean that every angle has been covered, so plan and evaluate regular reviews. Pay particular attention to new attacks and vulnerabilities because those are continuously developed.
Check results: Security risk assessments will need to include confirmation of how IT supports the organizational goals and the risk associated in delivering and enabling the organization. Be sure to know which risks are acceptable and which aren’t.
For more information on Security Risk Assessments, please visit our Professional Services page/System/Infrastructure Security