Businesses face risk every day. It’s a part of getting business done, especially in our digital world. Managing risk is critical, and that process starts with a risk assessment. If you don’t assess your risks, they cannot be properly managed, and your business is left exposed to threats. A successful risk assessment process should align with your business goals and help you cost-effectively reduce risks.
Why carry out a cyber security risk assessment?
Risk assessment – the process of identifying, analysing and evaluating risk – is the only way to ensure that the cyber security controls you choose are appropriate to the risks your organisation faces.
What does a cyber security risk assessment include?
A cyber security risk assessment identifies the various information assets that could be affected by a cyber attack (such as hardware, systems, laptops, customer data and intellectual property), and then identifies the various risks that could affect those assets. We conduct risk estimation and evaluation, followed by the selection of controls to treat the identified risks. It is important to continually monitor and review the risk environment to detect any changes in the context of the organisation, and to maintain an overview of the complete risk management process.
How we conduct our risk assessment
- a) System Characterization - Our team characterizes client's system to help determine the viable threats. This includes assessing: What is it? Who uses the system? What kind of data it uses? Where does the information go? who is the vendor?
- b) Threat Identification - There are some basic threats that are going to be in every risk assessment, however depending on the system, additional threats could be included. Common threat types include:
Unauthorized access (malicious or accidental). This could be from a direct hacking attack / compromise, malware infection, or internal threat.
Misuse of information (or privilege) by an authorized user. This could be the result of an unapproved use of data or changes made without approval.
Data leakage or unintentional exposure of information. This includes permitting the use of unencrypted USB and / or CD-ROM without restriction; deficient paper retention and destruction practices; transmitting Non-Public Personal Information (NPPI) over unsecured channels; or accidentally sending sensitive information to the wrong recipient.
Loss of data. This can be the result of poor replication and back-up processes.
Disruption of service or productivity.
- c) Determination of Inherent Risk and Impact - In this step, we characterize the system to determine the impact to our client's organization if the threat was exercised. This inmpact ratings are: High – Impact could be substantial.
Medium – Impact would be damaging, but recoverable, and / or is inconvenient.
Low – Impact would be minimal or non-existent.
- d) Analysis Of the Control Environment - We typically look at several categories of information to adequately assess the control environment. Ultimately, we want to identify threat prevention, mitigation, detection, or compensating controls and their relationship to identified threats. A few examples include:
- Organizational Risk Management Controls
- Infrastructure Data Protection Controls
- Data Center Physical & Environmental Security Controls
- Continuity of Operations Controls
- e) Determining Risk Rating - We then determine the likelihood of the given exploit taking into account the control environment thet is in place. At vcs-inc we rate them as:
- High – The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.
- Medium – The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.
- Low – The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.
- f) Calculating The Risk Rating - Even though there is a ton of information and work that goes into determining the risk rating, it all comes down to a simple equation:
Impact (if exploited) * Likelihood (of exploit in the assessed control environment) = Risk RatingSome examples of risk ratings are:
- Severe – A significant and urgent threat to the organization exists and risk reduction remediation should be immediate.
- Elevated – A viable threat to the organization exists, and risk reduction remediation should be completed in a reasonable period of time.
- Low – Threats are normal and generally acceptable, but may still have some impact to the organization. Implementing additional security enhancements may provide further defense against potential or currently unforeseen threats.