With threats to sensitive data growing in both number and sophistication every day, organizations cannot afford a scattershot approach to security. Instead, they need to focus their limited IT budgets and resources on the specific vulnerabilities in their unique security posture. To do this, they need to identify, analyze and prioritize the risks to the confidentiality, integrity or availability of their data or information systems, based on both the likelihood of the event and the level of impact it would have on the business.
1. IT risk assessment should be the foundation of your IT security strategy
First, we need to differentiate between risk assessment and risk management. While both are essential ingredients for a strong IT security ecosystem, they are not identical. Rather, risk management is a part of risk assessment, providing control over business, operational, information security and other risks. IT risk assessment involves the much broader task of understanding the internal and external risk landscapes for a holistic, organization-wide approach to security.
In other words, IT security risk assessment helps you understand what events can affect your organization in a negative way and what security gaps pose a threat to your critical information, so you can make better security decisions and take smarter proactive measures. For instance, by revealing a chaotically organized privilege structure, shadow user accounts or tangled administrative rights, risk assessment helps you take the proper risk management steps to minimize the risk of privilege abuse or data theft before it’s too late.
2. IT risk assessment is required by many compliance regulations
The use of risk assessment for information security is only part of the picture. Information security risk assessment is also one of the top requirements of many compliance standards. For instance, if your organization must comply with HIPAA or could face GDPR audits starting May 2018, then information security risk assessment is a must-have for your organization in order to minimize the risk of noncompliance and huge fines.
Although regulations do not provide specific instructions on how organizations should control and protect their IT systems, they do require that organizations secure those systems and provide auditors with evidence that required security controls are in place and to reduce data security risks.
3. Adopting an appropriate framework makes it easier to get started with IT risk assessment
An IT security risk assessment framework is a set of rules that define:
- What has to be assessed
- Who has to be involved into risk assessment procedures
- What threats an organization has
- How these identified risks will be analyzed and prioritized
- How risk will be calculated based on likelihood and impact
- What documentation must be collected and produced as a result of the assessment
Obviously, these rules will be different for every organization, depending on its needs and goals, its size, the complexity and maturity of its business processes, the types of data involved, the size of the IT department, the security controls in place, the applicable industry requirements, and more.
However, there’s no need to create your information security risk assessment framework from scratch. Instead, you can adopt and adapt one of these commonly used risk frameworks:
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) designed by Carnegie Melon University
- The NIST risk assessment framework, as documented in special publication SP 800-30
- ISO/IEC 27001:2013
Note that all of these standards require organizations to document their information security risk assessment processes so they can provide evidence that all required data security procedures are being diligently followed.
4. IT risk assessment needs to be an ongoing process
Security systems are like high-performance race cars — they need to be constantly maintained, updated and tuned. Risk assessment is not a one-time event that provides permanent and definitive information for decision makers to inform their responses to information security risks. Instead, because both the IT environment and the risk landscape are constantly changing, risk assessment needs to occur on an ongoing basis throughout the system development lifecycle, from system planning through acquisition and use to system retirement.
Security systems are like high-performance race cars — they need to be constantly maintained, updated and tuned
Moreover, risk assessment has to be held frequently enough in order to spot potential security gaps that can arise quickly, such as privilege sprawl, inactive accounts and administrative accounts with improper password settings that put sensitive data and systems at risk.
5. IT risk assessment involves three stages
The process of risk assessment can be roughly divided into three stages:
- Risk identification — Determine the vulnerabilities in information systems and the broader IT environment, such as excessive access permissions or tangled group nesting, that could lead to damage if not taken care of in time.
- Risk estimate — Assess the likelihood that a risky event will occur by analyzing the probability that a given threat is capable of exploiting a given vulnerability.
- Risk prioritization — Rank risks based on the risk estimate combined with the level of impact that it would cause if it occurs. Consider the impact to the business of the unauthorized disclosure, modification or destruction of information, or the loss of information system availability. Attend to the threats with the highest probability and impact first.
IT risk assessment is critical to data protection and business continuity, and it has to be carried out periodically in order to detect new risks and improve security strategies. If your risk assessment is out of date, so are your strategies — it’s as simple as that.
Find out what first steps to efficient risk assessment you can take right here. To learn some best practices in establishing a continuous risk assessment and mitigation process watch this recorded IT risk assessment webinar.
Do you employ IT risk assessment in your IT environment? What tools do you use?