An organization conducts an Information Security Risk Assessment to gather the factual-knowledge required to effectively manage its information risk.
To maximize value of the Information Security Risk Assessment, the Information Security Management and Leadership Team needs to carry out the Information Security Risk Assessment in accordance with documented procedures that include:
- Criteria for identifying, evaluating, and categorizing identified cybersecurity risks and threats
- Criteria for assessing the adequacy of existing controls in the context of identified risks
- Criteria for deciding how identified risks are to be managed and how the information security management program is to address the risks
What the Leadership Team Needs to Know Before it Can Start
As input to the assessment, the Information Security Management and Leadership Team needs to know:
- What information do we have that we are legally required to protect? What documents define how we must protect it?
- What information do we as an organization have that we want to protect?
- What audits are we preparing for? What controls do they expect?
This information should already have been gathered as part of the development of the organization’s Information Security Management Policies and Standards.
Assessments Take Place in the Context of Policies and Standards
Plan to conduct your assessment against your Information Security Management Policies and Standards.
For each policy statement and each standard, the Information Security Management and Leadership Team needs to know
- Do we comply with the policy?
- How well are we meeting the standard?
- How critical is meeting the standard?
- What is the information risk in not fully meeting the standard?
- What are we going to do about it?
The Risk-Based Assessment from 50,000 Feet: Key Questions
What are the organization’s information assets?
- Information of others it must legally protect
- Personally identifiable information
- HIPAA protected information
- Information of minors
- GDPR-protected information
- Credit card information
- Information protected by NDA or other agreements
- Internal information assets
- Intellectual property
- Trade secrets
- Operational reports
- Word files
- eCommerce systems
- Online banking systems
- Passwords to critical system; server configuration information, etc
- Backup and recovery systems
- Physical inventory (workstations, servers, routers, switches, firewalls, staff-owned equipment, cloud assets, etc)
What are the threats to which this information is exposed?
- Copied, stolen (confidentiality)
- Credit card theft
- Medical records theft
- Intellectual property theft
- Changed without authorization (integrity);
- Invoice fraud
- Made unavailable (availability)
- DDos attack on a web site
- Used without authorization (fraud and misuse)
- Business email compromise
- Theft of computing resources
Who are the threat actors we must defend against? How sophisticated are they likely to be?
- Non-target specific [fisherman throwing a net overboard to catch whatever swims by]
- Targeted [thief wanting to steal a unique piece of art from the Louvre]
- Lone wolf cybercriminals
- Organized crime
- Malicious employees, vendors, etc
- Employees, vendors, etc making inadvertent mistakes
- Terrorists, political enemies, etc
- Nation states
- Natural disasters
How are they likely to attack us?
- Social engineering
- Vendor attack
- Exploit a technology vulnerability
- Install a Trojan Horse or Key Logger
- Attack us via a Botnet
- Coming in through a backdoor
- Install an Advanced Persistent Threat (APT)
- Launch a Distributed Denial of Service Attack (DDoS)
Where are our major vulnerabilities?
- Management & Leadership
For each information asset, each threat, and each threat actor
- How likely is the risk to manifest?
- How important is managing risk?
- What are the consequences of failure?
- How significant would the damage be if something goes wrong?
- What controls do we have to keep this from happening?
- How confident are we that they work correctly?
- Given these controls, what is the residual risk, the remaining risk after applying these controls?
- Given the level of residual risk, what are we going to do about it?
- Live with this level of residual risk
- Strengthen controls to lower residual risk to acceptable levels
An Assessment is not an Audit … except when you’re assessing a vendor or third-party
You conduct an assessment to find out where you are and what you need to improve on. It’s internal … for your use in knowing where you are and getting better.
This is different from an audit which is conducted by a 3rd-party for the purpose of establishing whether or not your information security management practices are sufficient to meet the auditor’s information security management standards.
It’s wise to conduct an internal assessment to see how you would fare in a related external audit. Better you should find your holes before the auditor does.
Your vendor or third-party should do the same thing before you show up!
Assessments Take Place in the Context Security Standards and Requirements, and to Prepare for an Audit
Sometimes you need to assess compliance with a particular set of regulations or requirements. Or you may have an audit coming up that you need to prepare for. You might, for example, need to assess your security program against one or more of the following.
- The recent NY State Financial Regulations
- HIPAA HITRUST
- The Payment Card Industry’s Data Security Standard
- The SecureTheVillage Code of Basic IT Security Management Practice
Let us see how well we meet the NY state requirements and identify what we must do to get better.
Let us see how well we meet HIPAA HITRUST and identify what we must do to get better.
Let us see how well our IT Department follows the Code of Basic IT Security Management Practice and identify what we must do to get better.
Since your Information Security Management Policies and Standards are designed to capture your organization’s management of its Information Security Management Program, the most-effective way to assess performance against requirements like the above is to map these requirements to your Policies and Standards. Given a requirement, you want to know where in the Policies and Standards that requirement is satisfied.
Using the NY state requirements as an illustration, the process looks as follows:
- Map the NY state requirements to your policies and standards. Several standards together may be required to meet a state requirement.
- If any NY state requirements are not fully covered by your Policies and Standards, then add new standards to cover them.
- Assess your Information Security Management Program against the updated Policies and Standards
This way you keep your Policies and Standards up-to-date with your responsibilities. And you have all of your requirements located in your Policies and Standards, making compliance management easier.
Assessments Provide Input to Improvement Activities
Once the assessment is completed the Information Security Management and Leadership Team can plan improvement activities
If a policy is not being met, then create a plan to to meet it. Policies carry legal implications so you want to comply with all your policies.
Unlike Policies, Standards are aspirational. When a standard is not being met, the Information Security Management and Leadership Team has to plan to methodically improve its performance against the standard. This exercise will take place in the context of criticality of the standard, the relative difficulty in improving performance against the Standard, and the organization’s available resources.
- Is the unmet Standard a security show-stopper or otherwise critical?
- The standard to aggressively patch vulnerabilities is an example of a standard that’s a show-stopper. That’s because a cybercriminal exploiting a missing patch can get full control of the unpatched device. This is what happened in the Equifax breach.
- Is the unmet Standard required by a customer or a regulation?
- How difficult is it to comply with the standard? Do we change a few settings and we’re done, like changing password length and complexity requirements, or do we need to implement a project to get this standard met?
- What resources do we have?
Beginnng with the show-stoppers and things needed for compliance, the Team needs to identify what improvement activities it will work on and put a plan together for managing these.
Tradeoffs will have to be made as information security “competes” for attention and resources. This is in keeping with one of the functions of the Leadership Team being to provide management guidance to the organization so it can effectively meet information security objectives.
Assessments Need to be Done Regularly
A full assessment needs to be done annually.
More generally, an organization should conduct a periodic Information Security Risk Assessment of its Information Security Management Program in response to changes in
- The threat environment
- Its information systems
- Its business operations
- Laws and regulations
- Such other matters as may reasonably be expected to impact the ability of the Information Security Management Program to meet its objectives
The First Assessment
Some organizations already have in place the elements of an Information Security Management Program. The starting point for these organizations is a top-to-bottom assessment designed to provide an actionable set of findings and recommendations across the entire organization. As described earlier, the objective is to put together an appropriate assessment, deep enough to get actionable findings and recommendations while still sufficiently cost-effective to avoid diminishing returns.
In situations that are more common in many small and medium-sized organizations, the organization will have a degree of information security management in IT but will not yet have begun to implement the other elements of information security management. It’s natural in these environments to combine
- An in-depth assessment of IT security management
- The Code of Basic IT Security Management Practices can be mapped against the Policies and Standards to ensure the IT Security Management Standards are robust enough to meet required risk-management and protection requirements
- A higher-level assessment of the basic “corporate-level” information security management needs
- Policies and standards
- Management structure
- Classification and control
- User awareness training
- 3rd-party security management
- Preparedness, incident response and business continuity
Beginning organizations should scope the assessment so as to get an overall perspective of how well they’re doing in these management areas. There will be time for deeper looks as the organization’s security management matures.
The Assessment as Key to Continuous Improvement
Information security management requires continuous performance improvement so as to identify and respond to
- Changes in the threat environment, laws and regulations and their impact on an organization’s associated risk profile
- Changes in the organization
- Changes in the IT infrastructure
- The availability of new and improved countermeasures
- Discovered weaknesses in existing countermeasures
There are four basic steps to continuous improvement in every discipline:
- Assess the situation
- Decide what to do to improve the situation
- Plan the improvement project
- Implement the improvement plan; return to 1.
Thus, the Information Security Management and Leadership Team should adopt the perspective that it will do an annual or more frequent assessment, using the output as input to its improvement efforts.
Contributed by Citadel Information Group
© Copyright 2018. Citadel Information Group. All Rights Reserved.
SecureTheVillage Webinar: Conducting an Information Security Risk Assessment
Webinar Deck (PDF): Conducting an Information Security Risk Assessment
June 29, 2018: Stan’s Guest: John Coleman, Pacific Premier Bank