Get Started
IT Risk Assessments: Prioritizing Risks

SaltyCloud Research Team

Updated Feb 18, 2019 Read Time 8 min

TL;DR:

Prioritize addressing cybersecurity risk assessment findings by focusing resources on issues with the largest impact, and then tackle subsequent problems based on their importance, akin to risk assessment triage.

As you start to tackle the problems that were identified during a cybersecurity risk assessment, you must begin deploying your resources to the areas that are going to produce the largest positive impact. You might have issues that relate directly to one department or one team within a department, or you might have issues that impact the entire organization. You must direct your resources toward the issues that the widest impact first and foremost. After that, you can tackle subsequent issues based on their level of importance. Think of this as risk assessment triage.

Determine your framework

TL;DR:

Choose a flexible, risk-based cybersecurity framework that aligns with industry best practices and regulatory compliance, while considering organization-specific risks and needs to effectively manage and reduce cybersecurity threats.

Before you can begin a risk assessment, you must first choose a framework that will help you assess and uncover the most risk. There are standards and question sets determined by federal/state law or research contracts which need to be implemented.  You also need to make sure that your assessment demonstrates regulatory compliance with HIPAA, GLBA, etc. for covered entities. Obviously, industry best practices should be used when determining a framework as well. If you need solid examples, look for question sets from respected campuses or organizations like Educause’s Higher Education Information Security Council (HEISAC).

Your cybersecurity framework functions as your guide to managing and reducing existing cybersecurity risk. For example, in the NIST cybersecurity framework there are five functions which comprise the central functions of the framework including identification, protection, detection, response, and recovery. Organizations can better manage and reduce cybersecurity risk with existing guidelines, practices, and standards. All organizations should review and consider their framework because it must be flexible enough to be adopted by all critical sectors of infrastructure no matter the state of existing cybersecurity practices.

Your framework is risk-based so as an organization you get to determine the appropriate level of cybersecurity based on the existing risk environment, your current requirements, and company objectives. For example, many state and large research Universities use NIST 800-53 low and medium controls to meet internal risk tolerance and/or state law or research contract requirements. Customized implementations can be put into action integrating stakeholder opinions at all times.

Every organization will face its own set of cybersecurity risks, not just large organizations. Therefore all businesses have to consider using a framework and adapting it in such a way that it supports cybersecurity needs and maximizes business values. Your framework has to be customized based on your risks, your situation, and your needs.

Set your scope

TL;DR:

Define and prioritize the scope of a cybersecurity program by addressing different company resources, starting with the most sensitive data and critical assets, and gradually expanding to broader areas, while helping executives understand the depth of the scope requirements.

After your executives have agreed to rectify the issues found in a risk assessment, you have to define the scope of the program or perhaps further define your inventory of assets. The scope is going to encompass your entire company to some degree but you might have one scope specifically for internal resources, another scope for your customer resources, and a final scope for your third-party resources. The scope can be defined in terms of the technology or business, the people or buildings, or the application or process. As a cybersecurity professional you have to help executives understand the depth of the scope requirements. Start narrow then go broad. Where is your most sensitive data? Start with a data center and other critical assets/ units before you go campus-wide. Stack up small wins to build momentum in subsequent cycles.

Develop your methodology

TL;DR:

Develop a methodology for your project by selecting a data collection method and organizing the information using tools such as spreadsheets or workflow automation software.

Next, you will have to then develop your methodology. Specifically, this means you will have to determine the method you will use for data collection such as interviews or survey-based tools. Your chosen method will also, therefore, require a way to categorize all of this information which can be done through things like spreadsheets or workflow automation software.

Managing inventory

TL;DR:

Create an inventory of assets, including technology, data, processes, and people, using tools like spreadsheets or specialized software, and track them through their life cycles to better understand and protect your resources.

Inventories can be managed using a simple spreadsheet or with special software applications that include tracking mechanisms and automated discovery. You can start your inventory with hard assets like your desktop, or soft assets like your operating systems or data. Regardless of where you start, taking inventory is a fundamental step because if you don’t know what needs to be protected you can’t properly implement any resolution.

With your inventory make sure that you include things like technology, data, processes, and people. Use current business processes to make it easier on yourself when tracking assets. You can, for example, use a life cycle for the beginning, middle, and end of every asset class you have in order to understand how and where data is collected, where it is stored or backed up on what device, who has access, and when they were granted access.

Work with your departments

TL;DR:

Gather information on data handling and storage by examining HR department processes, such as recruitment, hiring, and employee maintenance, and consult multiple HR representatives to gain a comprehensive understanding of the data lifecycle.

For example, your HR department will have their hands on a great amount of data for the people asset class of your data. They are involved in processes such as recruiting new employees, hiring them and maintaining them during their employment by providing things like performance reviews, transfers, or terminations. You can walk through process-based life cycles in order to acquire information pertaining to all of the collected data, what human method or software is used to collect this data, and where that data is stored. You might have to ask more than one HR representative where the information is or how they collect it because one individual may only be in charge of one aspect of the data.

Mapping workflows

TL;DR:

Utilize workflows, interviews, and automation software to efficiently collect information from different departments, document processes, and enhance your inventory, ultimately streamlining risk assessment and fostering long-term problem-solving momentum.

There are workflows that can be mapped through your existing processes which will make collecting information from different business units much easier. You can use basic interview-style conversations or surveys with the personnel of every department to uncover the information you need. For example, you can talk to the financial department about information relating to credit cards, you can talk to the sales department about data directly pertaining to customers, and you can talk to the marketing department about any underlying pages that comprise the website. All of these processes need to be documented somewhere to ensure a thorough search. Of course, don’t forget to include them in your inventory.

That said, if you use automation software you can pull forward responses and expedite mapping processes like these, and avoid other repetitive tasks. In addition, automatic roll up and reporting will allow you to scale your efforts over multiple business units and make your risk assessment process more efficient. Using automation software rather than a simple spreadsheet will benefit you more in the long run. The more expeditious your tasks, the sooner you can complete company-wide solutions, the more wins you can put under your belt, and the more momentum you can gather for long-term problem-solving.

How Isora GRC from SaltyCloud can help

TL;DR:

Isora GRC from SaltyCloud is the powerfully simple solution making regulatory compliance easier while helping organizations improve their cyber resilience.

The stakes have never been higher for organizations as they confront escalating cyberattacks and mounting regulations.

With business-critical data and privacy on the line, companies need a simple solution that helps them move beyond a ‘check-the-box’ mindset towards a risk-informed, data-driven, and proactive approach.

Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.

  • Ace compliance audits with collaborative surveys, adaptable security frameworks, dynamic dashboards, and insightful reporting for key regulations.
  • Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
  • Protect critical data with comprehensive inventory management, seamless integration, continuous assessments, and insightful reporting.
  • Minimize third-party risk with a complete vendor inventory, risk assessment surveys, and approval workflows.

Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.

Discover how Isora GRC from SaltyCloud can streamline compliance and risk management for your organization.

 

Learn More
Our GRC Resources

Dive into our research-backed resources–from product one pagers and whitepapers, to webinars and more–and unlock the transformative potential of powerfully simple GRC.

Learn More
Other Relevant Content

Learn what self-assessment questionnaires (SAQs) are and why they're a valuable tool for your security risk assessments.

Dive into this Complete Guide for a comprehensive yet accessible pathway for developing an Information Security Risk Management program

Discover the key steps to building a risk-based infosec risk management program in higher ed for regulatory compliance and cyber resilience.

Stay ahead of the curve
Get insightful guides, original research, regulatory updates, and novel solutions delivered straight to your inbox.
Get Started
Manage assessments
confidently with
collaborative GRC tooling