A security risk assessment identifies, assesses, and implements key security controls in applications. It also focuses on preventing application security defects and vulnerabilities. Carrying out a risk assessment allows an organization to view the application portfolio holistically—from an attacker’s perspective. It supports managers in making informed resource allocation, tooling, and security control implementation decisions. Conducting an assessment is an integral part of an organization’s risk management process.
The most important concept to understand in cybersecurity and privacy-related risk management is that the cybersecurity and IT departments generally do not “own” risk. The reality of the situation is that risk management is a business management decision, where the cybersecurity and privacy functions primarily serve as a mechanism to educate those business stakeholders on identified risks and provide possible risk treatment solutions.
Risk Management can be broken down into the following 16 steps:
- IDENTIFY RISK MANAGEMENT PRINCIPLES
- It is necessary to identify one or more risk management principles that will form the basis of how the entity approaches its risk management processes. The alignment with risk management principles must support the entity’s policies and standards for risk management objectives.
- IDENTIFY, IMPLEMENT & DOCUMENT CRITICAL DEPENDENCIES.
- This is a multi-step process that involves identifying, implementing and documenting the critical dependencies that are necessary to legitimately identify, assess and manage risk.
- RISK MANAGEMENT DEPENDENCIES
- It is vitally important to establish the fundamental risk management dependencies. These need to be standardized entity-wide or the entity will be hampered by conflicting definitions and expectations
- TECHNOLOGY DEPENDENCIES
- In order to support risk management processes, it is necessary to establish the technology dependencies that affect risk management decisions.
- BUSINESS DEPENDENCIES
- In order to support risk management processes, it is necessary to establish the business dependencies that affect risk management decisions.
- FORMALIZE RISK MANAGEMENT PRACTICES
- Document a formal Risk Management Program (RMP) that supports the entity’s policies & standards. The RMP is meant to document the program-level guidance that defines the “who, what, why, when & how” about the entity’s specific risk management practices.
- ESTABLISH A RISK CATALOG
- It is necessary to develop a risk catalog that identifies the possible risks that affect the entity.
- ESTABLISH A THREAT CATALOG
- It is necessary to develop a threat catalog that identifies possible natural and man-made threats that affect the entity’s security & privacy controls
- ESTABLISH A CONTROLS CATALOG
- It is necessary to develop a catalog of security and privacy controls that addresses the entity’s applicable statutory, regulatory and contractual obligations. Risks must map to the entity’s security & privacy controls. Ideally, the controls are weighted since not all security & privacy controls are equal
- DEFINE CAPABILITY MATURITY MODEL (CMM) TARGETS
- It is necessary for an entity to define “what right looks like” for the level of maturity it expects for deployed security and privacy controls. This is generally defined by aligning with a Capability Maturity Model (CMM).
- Maturity model criteria should be used by the organization as the benchmark to evaluate security and privacy controls.
- PERFORM RISK ASSESSMENTS
- With the previous steps addressed, an assessor will leverage those deliverables (e.g., Risk Management Program (RMP), threat catalog, risk catalog, controls catalogs, etc.) to implement a functional capability to assess risk across the entity. That documented assessment criteria from the previous steps exists to guide the assessor when performing risk assessments.
- ESTABLISH THE CONTEXT FOR ASSESSING RISKS
- Now that a methodology exists to assess risk, it is necessary for the assessor to establish the context of the Security & Privacy Risk Environment (SPRE). The SPRE is the overall operating environment that is in scope for the risk assessment. This is where the threats, risks and vulnerabilities affect the entity’s protection measures.
- CONTROLS GAP ASSESSMENT
- Based on the applicable statutory, regulatory and contractual obligations that impact the SPRE, the entity is expected to have an applicable set of controls to cover those needs. That set of controls identifies the in-scope requirements that must be evaluated to determine what risk exists.
- ASSESS RISKS
- When the control deficiencies are identified, the assessor must utilize an entity-accepted method to assess the risk in the most objective method possible.
- DETERMINE RISK
- At the end of the day, risk needs to be understandable. This is generally why risk is bucketed into a set of pre-defined categories.
- Before a risk report can be documented, it is very important to clarify if the results of the assessment are “inherent risk” or “residual risk” since those have entirely different meanings and implications.
- INHERENT RISK: The Occurrence Likelihood (OL), in combination with the Impact Effect (IE) will provide the “inherent risk” score. This is considered a raw or unmitigated risk score. It is important to note that inherent risk does not take into account any control weighting, the maturity of implemented controls or any other mitigating factors.
- RESIDUAL RISK: To understand the “residual risk” that takes into account control weighting, the maturity of implemented controls and other mitigating factor, it requires expanding upon inherent risk calculations. To identify the residual risk score, Occurrence Likelihood (OL) is calculated by Risk Impact Effect (IE), Control Weighting (CW), Maturity Level (ML) and Mitigating Factors (MF)
- PRIORITIZE & DOCUMENT RISKS
- Once risk has been identified, it is necessary to prioritize and document the identified risk(s).
- IDENTIFY THE APPROPRIATE MANAGEMENT AUDIENCE
- It is critically important that as part of an entity’s program to manage risk that various levels of management are identified with varying authority, each with a pre-described ability to make risk management decisions. This helps prevent low-level managers from recklessly accepting risk that should be reserved for more senior management.
- MANAGEMENT DETERMINES RISK TREATMENT
- Risk management is a management decision. Management is ultimately able to decide how risk is to be handled. Where this benefits security, technology and privacy personnel. Quality risk assessments and risk management documentation can provide prove that reasonable steps were taken to identify, assess, report and mitigate risk, which firmly puts the responsibility back on the management team of the team/department/line of business that “owns” the risk.
- IMPLEMENT & DOCUMENT RISK TREATMENT
- When managing risk, it should be kept as simple as possible. Realistically, risk treatment is either “open” or “closed” but it can sometimes be useful to provide more granularity into open items to assist in reporting on risk management activities.
A comprehensive security assessment allows an organization to:
- Identify assets (e.g., network, servers, applications, data centers, tools, etc.) within the organization.
- Create risk profiles for each asset.
- Understand what data is stored, transmitted, and generated by these assets.
- Assess asset criticality regarding business operations. This includes the overall impact to revenue, reputation, and the likelihood of a firm’s exploitation.
- Measure the risk ranking for assets and prioritize them for assessment.
- Apply mitigating controls for each asset based on assessment results.
It’s important to understand that a security risk assessment isn’t a one-time security project. Rather, it’s a continuous activity that should be conducted at least once every other year. Continuous assessment provides an organization with a current and up-to-date snapshot of threats and risks to which it is exposed.
How Can ITM Help You?
IT Minister covers all aspects of Cyber Security including but not limited to Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations, Mobile Device Management, Cloud security best practice & architecture and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.