February 18, 2019
IT Risk Assessments: Prioritizing Risks
As you start to tackle the problems that were identified during a cybersecurity risk assessment, you must begin deploying your resources to the areas that are going to produce the largest positive impact. You might have issues that relate directly to one department or one team within a department, or you might have issues that impact the entire organization. You must direct your resources toward the issues that the widest impact first and foremost. After that, you can tackle subsequent issues based on their level of importance. Think of this as risk assessment triage.
Determine Your Framework
Before you can begin a risk assessment, you must first choose a framework that will help you assess and uncover the most risk. There are standards and question sets determined by federal/state law or research contracts which need to be implemented. You also need to make sure that your assessment demonstrates regulatory compliance with HIPAA, GLBA, etc. for covered entities. Obviously, industry best practices should be used when determining a framework as well. If you need solid examples, look for question sets from respected campuses or organizations like Educause’s Higher Education Information Security Council (HEISAC).
Your cybersecurity framework functions as your guide to managing and reducing existing cybersecurity risk. For example, in the NIST cybersecurity framework there are five functions which comprise the central functions of the framework including identification, protection, detection, response, and recovery. Organizations can better manage and reduce cybersecurity risk with existing guidelines, practices, and standards. All organizations should review and consider their framework because it must be flexible enough to be adopted by all critical sectors of infrastructure no matter the state of existing cybersecurity practices.
Your framework is risk-based so as an organization you get to determine the appropriate level of cybersecurity based on the existing risk environment, your current requirements, and company objectives. For example, many state and large research Universities use NIST 800-53 low and medium controls to meet internal risk tolerance and/or state law or research contract requirements. Customized implementations can be put into action integrating stakeholder opinions at all times.
Every organization will face its own set of cybersecurity risks, not just large organizations. Therefore all businesses have to consider using a framework and adapting it in such a way that it supports cybersecurity needs and maximizes business values. Your framework has to be customized based on your risks, your situation, and your needs.
Set Your Scope
After your executives have agreed to rectify the issues found in a risk assessment, you have to define the scope of the program or perhaps further define your inventory of assets. The scope is going to encompass your entire company to some degree but you might have one scope specifically for internal resources, another scope for your customer resources, and a final scope for your third-party resources. The scope can be defined in terms of the technology or business, the people or buildings, or the application or process. As a cybersecurity professional you have to help executives understand the depth of the scope requirements. Start narrow then go broad. Where is your most sensitive data? Start with a data center and other critical assets/ units before you go campus-wide. Stack up small wins to build momentum in subsequent cycles.
Develop Your Methodology
Next, you will have to then develop your methodology. Specifically, this means you will have to determine the method you will use for data collection such as interviews or survey-based tools. Your chosen method will also, therefore, require a way to categorize all of this information which can be done through things like spreadsheets or workflow automation software.
Inventories can be managed using a simple spreadsheet or with special software applications that include tracking mechanisms and automated discovery. You can start your inventory with hard assets like your desktop, or soft assets like your operating systems or data. Regardless of where you start, taking inventory is a fundamental step because if you don’t know what needs to be protected you can’t properly implement any resolution.
With your inventory make sure that you include things like technology, data, processes, and people. Use current business processes to make it easier on yourself when tracking assets. You can, for example, use a life cycle for the beginning, middle, and end of every asset class you have in order to understand how and where data is collected, where it is stored or backed up on what device, who has access, and when they were granted access.
Work With Your Departments
For example, your HR department will have their hands on a great amount of data for the people asset class of your data. They are involved in processes such as recruiting new employees, hiring them and maintaining them during their employment by providing things like performance reviews, transfers, or terminations. You can walk through process-based life cycles in order to acquire information pertaining to all of the collected data, what human method or software is used to collect this data, and where that data is stored. You might have to ask more than one HR representative where the information is or how they collect it because one individual may only be in charge of one aspect of the data.
There are workflows that can be mapped through your existing processes which will make collecting information from different business units much easier. You can use basic interview-style conversations or surveys with the personnel of every department to uncover the information you need. For example, you can talk to the financial department about information relating to credit cards, you can talk to the sales department about data directly pertaining to customers, and you can talk to the marketing department about any underlying pages that comprise the website. All of these processes need to be documented somewhere to ensure a thorough search. Of course, don’t forget to include them in your inventory.
That said, if you use automation software you can pull forward responses and expedite mapping processes like these, and avoid other repetitive tasks. In addition, automatic roll up and reporting will allow you to scale your efforts over multiple business units and make your risk assessment process more efficient. Using automation software rather than a simple spreadsheet will benefit you more in the long run. The more expeditious your tasks, the sooner you can complete company-wide solutions, the more wins you can put under your belt, and the more momentum you can gather for long-term problem-solving.
Even if you have completed your risk assessment and you have the executives on board for problem-solving, this is a slow process and is going to take time. Be patient with yourself and with your staff. Find ways to save time when and where possible without compromising quality. One of the best ways to do this is to use automation software to help you take the most efficient path possible.
IT Risk Assessments are a critical component of any mature security program. Learn how to conduct your own with this quick guide.
IT Risk Assessments: Prioritizing Risks
As you start to focus on the issues discovered during a cybersecurity risk assessment, figuring out how to address them can prove difficult. However, there are a few strategies that can help
Using spreadsheets to conduct a risk assessment can be a powerful tool, but they have their limitations.
In-house and outsourced IT risk assessments both have their advantages and disadvantages. Depending on your institution’s needs, it is important to explore different arrangements