An Information Security Risk Assessment is the first step in identifying which data needs protection, controls around that data, and the risk level of each of those areas.
The question many CISOs or CSOs ask is: “Why should I have a risk assessment done?” A risk assessment can help determine which areas of security need improvement. Then efforts can be directed at the critical areas that need the most remediation.
A good risk assessment exhibits five key aspects that make it valuable to the client. So, make sure the risk assessment is:
1. High Level
2. Useful and Affordable
3. Understandable to Executives
4. Following a Framework
5. Set up to make Assumptions and Quantify Data
1. The first aspect of a good risk assessment is that it must take a High Level perspective. You need to take a few things into consideration so the risk assessment is conducted at a high level.
You need to understand how a business runs and how it makes money. By knowing how a business runs, you are able to determine both the business’s valuable assets and which areas need the most security.
You also must give the business an organized Timeline. Anyone can just provide a list of vulnerabilities; those are average risk assessments. If you want to make your risk assessment better than the rest, you have to inform the client of what they need to do to fix their vulnerabilities, when they need to do them, and in what order, so they don’t drag their feet.
2. The second aspect of a good risk assessment is that it must be Useful and Affordable. An assessment should cost no more than $15,000 for a company worth $5 billion. A risk assessment is not an assessment you want to spend the majority of your budget and time on. Generally, a risk assessment should take no longer than one week to complete.
On the other hand, it needs to be useful for a company and not just result in a list of problems. The assessment should give the client steps and activities to take to resolve their vulnerabilities. It needs to have a roadmap, so technicians know what to do to ensure that their vulnerabilities are at a minimum.
3. The third aspect of a good risk assessment is that it needs to be Understandable to Executives. A risk assessment needs to result in a final deliverable that informs the client of the results of their assessment; however, it also needs to be written in business language, not IT language.
This allows the CISO or CSO to understand exactly where their vulnerabilities are and what the risk level of each one is, pointing them in the right direction regarding what to work on first when fixing their issues. Most importantly, it leaves the technical terminology for the IT specialists to interpret and implement.
4. Following a Framework is the fourth aspect that a good risk assessment exhibits. A framework lends the assessment validity, consistency, and repeatability. At SecureState, we base our risk assessment on the National Security Agency’s (NSA) Infosec Assessment Methodology (IAM).
Because they are consistent and repeatable, current risk assessment results can be compared to previous years’ results to see if there was any growth. You can also compare the client’s status to other companies of similar size and stature to show them where they stand.
5. The fifth and final aspect of a good risk assessment is that it should be set up to allow the consultant to both Make Assumptions and Quantify Data. The assumptions are made about threats to the company from discussions with employees and from general threats to similar companies. Use the “Risk Equation,” which can be seen in the graphic below, to calculate risk empirically, rather than subjectively.
(click image to enlarge)
In the Risk Equation, we are mainly looking at the boxes in red. We look at two main items: the likelihood of the threat and the impact of the threat. In a risk assessment, this helps a company understand where they need to start fixing their vulnerabilities.
Two good assessments that identify vulnerabilities are Penetration Tests and Vulnerability Assessments, whereas the risk assessment itself as well as PCI and other audits will identify controls.
So when looking at purchasing an risk assessment, or when implementing one, I would highly recommend making sure that these five aspects are included in it.
By conducting a risk assessment that exhibits these aspects, you will get the biggest bang for your buck.
Cross-posted from SecureState