There’s been a lot of talk about standards and compliance (ISO 27001 and GDPR to name a few). We’ve been talking about these standards quite a bit lately (ISO 27001: The Compliance Chameleon and What is GDPR and how does it Affect American Businesses?). What we haven’t done a lot of is talk about what people need to do to prepare for these standards while assuring you’re compliant with the obligations you already have.
One of the best ways to prepare is to conduct a Risk Assessment for your business. We sat down with Darrin Maggy, CISSP, Practice Manager for Integris’ Security Advisory Services, to review the seven steps of a Risk Assessment.
While we’ve done our best to put these steps into an organized list, many of them are interconnected, and when you go through a Risk Assessment, you’ll be bouncing back and forth between them as new information comes to light.
Step 1: Identify Your Information Assets
An information asset is any information or asset that is valuable to your business and contributes to its ability to operate and its profitability. Typically you need to look for things like paper or electronic documents, applications, databases, infrastructure, even key people. That’s an information asset.
“Generally what we do to start the asset identification process is issue a questionnaire,” Maggy said. “It’s brief, and it’s meant to prompt people through the process of understanding exactly what we’re looking for and how to find it.”
Step 2: Identify the Asset Owners
After you’ve identified your information assets, Security7 determine who within the business is responsible for those assets. Maggy said the recipients of the questionnaire typically exist at the layer directly below the CEO on the org chart.
“Finance, Operations, HR, Sales, etc., these folks are typically aware of which corporate assets they’re responsible for and which assets are most critical to the business,” he said.
Maggy said it’s important to identify asset owners as they are the best source of knowledge regarding the potential vulnerabilities and threats to the assets and they can also help assess the likelihood and impact of the identified risks were to materialize.
Step 3: Identify Risks to Confidentiality, Integrity, and Availability of the Information Assets
“Confidentiality, Integrity, and Availability of information are the foundation of information security,” Maggy said. “Let’s use an analogy to help explain this.”
Maggy said imagine you’re doing business with your bank. You’re going to make a deposit, log into your account to make sure the deposit has posted to your account, and then withdraw the money.
You expect confidentiality when you deposit your money. That transaction is between you and your bank. “It’s nobody’s business that you’ve just conducted that transaction,” Maggy said. “The bank shouldn’t advertise the fact that you just deposited $50 or $5000 into your account.”
Integrity comes into play when you log into your account only to find the transaction hasn’t been posted. “Say you deposited $50 and only see $10 or nothing at all,” Maggy said. “Something’s happened regarding the integrity of that transaction, the integrity of the information.”
Availability comes about when you go to an ATM and try to withdraw that $50 and you’re unable to do so, now you have an availability issue.”
Maggy said all three of these things apply to data as well any breach of Confidentiality, Integrity, and Availability is considered a security incident. “Let’s apply these concepts to business.
“If somebody in sales needs to access Salesforce.com and they’re unable to do so, that’s an availability issue. If somebody from HR goes into Salesforce.com and they alter a major account record, making substantial changes to the record, and ultimately those changes alter the way that client is handled in the organization then you’ve just had a breach of integrity,” he said.
“Overall, confidentiality is identifying the processes, the assets, the information, the things in the organization that need to be kept private,” Maggy said. “Whether its existential data that you don’t want your competitors to find out about such as information related to M&A activity or new product development, financial information, or other sensitive data. That’s confidentiality.”
Step 4: Identify the Risk Owners
Remember when we said you might bounce around between the steps? Well, here’s an example of that.
“Oft times we’ll determine that the asset owner ends up being the risk owner as well,” Maggy said.
Maggy said risk owners are those with the accountability and authority to manage risk. “The asset owner is the person responsible for the asset within the company. A risk owner is a person who is both interested in resolving a risk and is positioned high enough in the organization to do something about it.”
However, the risk owner isn’t always the asset owner. “it has to be someone who is closely related to processes and operations where the risks have been identified – it must be someone who will feel the “pain” if the risks materialize – that is, someone who is very much interested in preventing such risks from happening. However, this person must be also positioned high enough so that his or her voice would be heard among the decision-makers because without obtaining the resources this task would be impossible.”
Step 5: Analyze the Identified Risks and Assess the Likelihood and Potential Impact if the Risk Were to Materialize
Maggy said it’s important to always provides Risk Assessment training directly to the people who are going to be involved in the Risk Assessment process.
“We do this to bring everyone involved in the process up to speed,” he said. “It helps them understand the methodology, the terminology, and the risk identification and treatment process so we can better assure a high quality, refined output.
Step 6: Determine the Levels of Risk
Security7 Networks has assembled a collection of Risk Catalogs to help the participants on their journey. The catalogs help identify specific threats and vulnerabilities and allows them to walk organizations through the likelihood and consequence scenarios.
“We give the potential impact and likelihood of these threats occurring a numerical value in our risk matrix.”
The total of these values ultimately determines which risks will require treatment.
“Then you have to decide how you’re going to reduce those risks to a level that the organization is willing to accept or is comfortable with, no more no less,” he said.
Step 7: Prioritize the Analyzed Risks for Treatment
The primary risk treatment options an organization has to consider are risk mitigation, risk transfer, risk avoidance, and risk acceptance.
“Maybe you’re going to put a security control in place from Annex A or SP 800-153 or another control catalog. That’s risk mitigation,” Maggy said.
“Risk transfer is when you transfer the risk through outsourcing to a contract supplier or insuring a particular asset.”
“Risk avoidance is when you discontinue the activity that’s associated with the risk,” he said.
“Risk acceptance is where an organization says ‘you know what?’ The treatment would cost more than the potential impact was the risk to materialize. We accept this risk. It’s been signed off on by our executive suite,’” he said. “Then they file the risk acceptance memo within their information security management system.”
If you’re interested in a Risk Assessment for your business or just looking to see how your business stacks up when it comes to compliance with current compliance standards, reach out to us for a free consultation.