Risk assessment is the perfect methodology for assessing and evaluating the involved risks for organizations.
With the modern businesses relying more on information systems and technology, information security risk assessment is one of the most important risk assessments for the modern-day organizations.
That said, you — as the business owner or security expert of your organization — must understand risk assessments (especially information security risk assessments) for protecting your organization against unknown risk factors.
Updated on 6/26/2020 at 10:28AM EST with more coverage. Notes from our coverage of UC Berkley’s 2020 Virtual Fraud Fest Conference. UC Berkeley hosts an intimate discussion about the critical issues, technologies, and policies that drive financial fraud around the world. Berkeley’s annual “Fraud Fest” program brings together thought leaders from the worlds of Read More
Let’s learn why is this important.
“A risk assessment involves considering what could happen if someone is exposed to a hazard (for example, COVID-19) and the likelihood of it happening. A risk assessment can help you to determine: how severe a risk is, whether any existing control measures are effective, what action you should take to control the risk, and how urgently the action needs to be taken,” according to an Australian governmental agency.
Risk assessment is coined for the entire process of identifying the potential hazards and/or risk factors in an organization, assessing and evaluating the associated risks, and determining the mitigation strategies for eliminating or at least controlling the risks. These risks are related to the functioning of the organization: a mechanical failure, an external influence, a cyberattack, etc.
Since modern organizations utilize information technology and systems to perform their business, they inherit the modern risks that did not exist for old, non-tech companies. This modern risk is known as cyber risk aka cyber security risk aka information security risk since it involves digital or online systems.
Then, information security risk can be calculated as the product of threat, vulnerability, and information value. For instance, if you needed to assess the risk related to a cyberattack on a specific operating system, say Windows 10 v1804 had a known backdoor, which can be exploited physically (let’s say, using a flash drive). If the digital system has valuable information and your workplace does not implement physical security, your risk will be comparatively high.
If your organization’s information security team is incredibly operational, and they update Windows 10 to v1810 on your workplace systems, which fixes the backdoor. Then, your risk will be potentially low even with the critical data.
That is why there is a need to assess and evaluate information security risks. So, the question arises: how to perform information security risk assessment?
An information security risk assessment requires a lot of analysis, evaluation and continuous testing. That is why it is very valuable to ask the right questions and dig enough to get the answers.
1. What are the valuable assets in your organization?
First of all, you must find all the valuable assets in the organization. Since you may not have access to an unlimited budget for information risk management, it is best to understand and limit your assessment scope to most valuable assets. The list may include hardware and software, client data, trade secrets, etc.
You may need to define a valuation standard for determining the importance of each asset. For example, you may calculate using its cost value, business use, or the loss if the asset gets damaged or stolen. Whatever standard you define, use it to calculate the value of all assets, then prioritize those assets per value.
2. What are the potential consequences if compromised?
Then, you should determine the potential consequences — in terms of financial loss or any other type of potential loss — if an asset is compromised, damaged, or stolen. Some of the consequences you must consider are application or system downtime or failure, data loss, and financial or legal consequences.
3. What are the potential threats for your critical assets?
Then, you must determine the potential threats for your important assets. A threat is any person or thing that can exploit a vulnerability in your system to gain access and damage your assets. Some of the common potential threats include system failure and interference by a malicious human or software.
4. What are the vulnerabilities and their exploitation level?
Then, you should identify the vulnerabilities in your organization’s information technology infrastructure. A vulnerability is any weakness that allows a threat actor to compromise your security and gain access to your systems for causing damage or stealing your important assets. Some of the vulnerabilities include old hardware, configuration or system design issues, and careless employees.
5. What are the potential risks and their levels for assets?
Next, you must determine the potential risks and their levels per asset. A risk is the probability that a threat will successfully exploit vulnerabilities and cause damage or steal one or more assets. You can assess an asset’s risk level using the above formula and name the assets as low, moderate, or high risk assets.
6. What should be the organization’s risk management plan?
Next, you need to develop a risk management plan for your organization. For example, if there is a high risk of system failure due to overheating (threat) since the cooling system is old (vulnerability), which will lead to hours of downtime of your website and online services (assets). Then, the overall risk is high seeing the potential loss; the solution should be getting a new, better cooling system.
7. What should be the strategy to mitigate the vulnerabilities?
Next, you should create a strategy to mitigate the found vulnerabilities. The plan should include timeline, required budget, included teams or departments, etc. For instance, you should consider getting a cooling system for an old system, installing a firewall and intrusion detection system against cyberattacks and malicious insiders, and providing training to your untrained employees.
8. What mitigation should be used for security infrastructure?
Finally, you must define mitigation processes for improving the information security infrastructure. The reason being you cannot eliminate all risks, thus your organization must be ready to tackle any disaster or security event. After such a disaster, you should investigate into the mitigation process — what worked, what did not work, how to eliminate it, etc. i.e., keep improving.