Editor’s Note: This blog is part two of a five-part blog series on how to approach technology assessments and security.
IT security frameworks, such as the National Institute of Standards and Technology (NIST), the Payment Card Industry Data Security Standard (PCI DSS) and the FFIEC Gramm-Leach-Bliley Act (GLBA), utilize a risk assessment as a key first step in driving an organization’s IT security strategy. In fact, many oversight bodies require you to undertake an annual IT risk assessment to maintain compliance.
A risk assessment is one of the most valuable tools available to enable your organization’s leadership and other decision makers to make informed risk decisions on information technology and IT security matters. Unfortunately, many organizations have instituted a risk assessment process in a manner that allows them to “check off” compliance requirements, but does not provide useful information to the organization’s decision makers.
Here are eight steps for making a risk assessment serve a meaningful purpose:
- Get rid of the spreadsheet.
Risk assessment findings are typically presented in the format of a spreadsheet or matrix table, often with elaborate acronyms, numbers and color codes used to rate and rank different types of risks. While this spreadsheet approach shows that the author put some thought and effort into evaluating risk, it may not be effective in communicating conclusions. Decision makers who receive this type of risk assessment presentation often find the format unintuitive and tend to feel that it does not provide enough detail to justify the conclusions.
The first step in getting the most out of a risk assessment is to commit to choosing a reporting approach that provides results in a format that is both accessible and detailed.
- Know what you don’t know.
Oftentimes, organizations use the individual or group responsible for implementing security controls to conduct the risk assessment. There are two potential drawbacks to this approach. First, the person conducting the risk assessment may not be able to take an objective perspective on security decisions made in the past or in regard to current gaps. In addition, the person conducting the assessment may not have knowledge of industry trends and norms outside of his or her own organization.
Make sure the person or team performing the risk assessment has sufficient knowledge of the threat landscape through training and involvement in user groups and community forums. Alternatively, consider hiring an external assessor to increase the independence of the assessment and leverage a greater breadth of knowledge.
- Actually talk to business and system owners.
Many IT managers or security officers fill out risk assessments based on their existing knowledge of systems and business processes. Or the IT and business-line system owners may each receive a questionnaire they fill out to rate the risk of their systems or processes. This generally leads to inaccurate inputs into the risk assessment as the person entering the data either has insufficient knowledge of the systems and processes or insufficient knowledge of the risks.
A key to pulling meaningful insight into the risk assessment is for the person conducting the assessment to interview system- or business-line process owners. This face-to-face discussion between a person who knows the system’s processes and interfaces and a person who understands threats and attacks substantially increases the ability to identify vulnerabilities and control gaps that could otherwise be missed.
- Generalize the system inventory.
Risk assessors often feel the need to spend a great deal of time generating and managing a detailed asset inventory, listing and evaluating every server and application. Ultimately, this detailed inventory is unlikely to provide meaningful insight to decision makers.
The risk assessment process can often be improved by using generalized groups, like “file servers,” “perimeter firewalls” and “telephony systems,” rather than a detailed asset inventory. This difference can cut down on the time and complexity involved with the risk assessment while making it easier to correlate threats and controls and ultimately “tell a story” illustrating the organization’s risk posture.
- Be specific about threats.
While many risk assessments get too detailed with asset inventories, they are often not detailed enough in their evaluation of threats. In the worst-case scenarios, risk assessments list only the vaguest level of threats: “loss of integrity,” “loss of confidentiality” and “loss of availability.” Some go a bit further and use generalized categories such as “viruses,” but even that level of detail is insufficient. Concluding whether your controls against the generic “viruses” threat are strong, adequate or weak does not provide a great deal of insight.
Using more granular threats like “email viruses,” “removable media viruses” and “command and control Trojans” allows the risk assessor to better rank threats and scrutinize individual control gaps.
- Question your controls.
Another common mistake is to assume that, just because a control is in place, it is effectively mitigating risk. Deeper scrutiny will often reveal that to not be the case. For example, a risk assessor may be tempted to rank web application attacks as a low risk for an organization that has a web application firewall in front of its web servers.
There are many questions the assessor should ask before making such a judgment. For example, is the web application firewall seeing encrypted or decrypted traffic? Is it in blocking or monitoring mode? Is anyone actively reviewing and responding to alerts? This type of analysis often leads to new insights on how certain organizational controls may not be as strong as intended.
- Tell a story.
An important tactic that ties into getting rid of your risk assessment spreadsheet is to tell a story. Your risk assessment is a chance to educate leaders and other decision makers on the strengths and security gaps of your organization’s IT environment. If the presentation of the risk assessment results is hard to understand, you may be wasting an opportunity.
Instead of a complex matrix, provide an executive summary that informs and educates non-technical readers about the most important insights produced by the risk assessment. Examples could include a brief narrative of the highest risks or descriptions of the control gaps and their impacts. This executive summary should then be backed up by the data and analysis included later in the report to justify the high-risk ratings and rule out low risks.
- Don’t hide it; flaunt it.
All too often, an organization does a risk assessment purely to meet compliance requirements. The report is filed away and only ever seen by auditors and examiners. But a risk assessment doesn’t need to be a waste of time and resources.
If your risk assessment is done well and used for its intended purpose, it can guide the IT security strategy throughout the year. Present it to leadership to better illustrate your story. Use it to highlight successes as well as gaps. Bring it out during planning sessions to maintain focus on the highest risks. There is a reason that regulatory frameworks and industry guidelines almost all start with a risk assessment―done correctly, it is a very effective tool for improving and communicating your organization’s security posture.
At the conclusion of a risk assessment, your organization will have identified gaps and can begin implementing or improving controls. To validate that appropriate controls are in place and are functioning as intended, you should conduct an IT audit next—which we will cover in part three of this blog series.
Read More: Did you miss part one to this blog series on technology assessments and security? If so, our Insights page now hosts this blog on risk assessment basics.
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.