Conducting IT Risk Assessments Quick Guide
IT Risk Assessments are a critical component of any mature security program. And more and more, they’re becoming a regulatory requirement. That being said, implementing a risk assessment program from scratch can be a daunting task faced with many obstacles. You might find yourself experiencing the following emotions as you progress toward accepting that a risk assessment must be done.
- “If we don’t assess risk we don’t have risk.” — Management
- “Why are you doing this?!” — Stakeholders
- “What if we start with CIS 20 or NIST CSF/800-171/ 800-53 P1 controls in year one? And we only focus first on the highest risk department.” — Savvy CISO
- “What do you mean you saved over my spreadsheet?” — Risk Officer
- “ Yes! We documented risk over time and identified key areas to reduce risk.” — Happy Organization
Why conduct a risk assessment?
In recent conversations with university CISOs and CIOs, the two most common needs for a risk assessment include:
- begin documenting risk across their campus
- demonstrate regulatory compliance (i.e., GLBA or HIPAA)
Begin documenting risk
Conducting a risk assessment is the best way to discover where risk exists in an organization. Organizations can prioritize security budgets and awareness campaigns to be more resilient to cyber attacks. Usually, these campuses have an overarching framework in mind like CIS 20 or NIST 800-53, a subset of questions, and specific departments or units with the highest risk they would like to start with. This gives them an initial risk snapshot. In subsequent years when their risk culture has matured, the goal evolves to expand the question set and units covered to achieve a broader campus-wide risk assessment.
Demonstrate regulatory compliance
The catalyst to pursuing risk assessment near term include research universities that are increasingly required to document CUI compliance through NIST 800-171 or NIST 800-53 risk assessments as well as schools that need to comply with campus, system, state, or federal regulations such as GLBA, HIPAA, NIST, COBIT etc. In an effort to demonstrate compliance, these campuses may choose to focus only on the specific units that need to demonstrate regulatory compliance.
Where do I start?
Implementing a risk program looks differently for every campus. However, everyone usually arrives there the same. Here’s what you’ll need to do:
- Set your goals
- Choose your framework
- Create a plan
- Secure your stakeholders
- Start assessing
- Review your risk
- Implement and repeat
Set your goals
Before anything, you have to understand your immediate and long-term goals. Do you want to start documenting risk in an effort to build a more resilient organization or are you simply trying to prove compliance? Are you also wanting to inventory and classify assets? Whatever your goals, make sure you and your team are in agreement as it will dictate which framework you choose and the direction of your risk assessment program.
Choose your framework
Choosing a security framework can be challenging. There are a lot out there, and depending on your goals, you’ll need to choose one that best fits your needs. Remember, you don’t have to commit to an entire framework from the get go. You may find that certain sections are more relevant to your campus and your current goals. This is especially true for regulatory compliance which may only require you to adhere to certain sections of a larger framework.
Create a plan
Successful risk programs are multi-year commitments. It is rare to assess an entire campus in the very first risk assessment. It is wise to roll out a risk assessment program in small steps and overtime mature the risk culture at your campus. In other words, you can’t expect to get results if no one takes the risk assessment seriously. Take a look at your organization and begin to identify your most critical units. You could leverage this smaller sample set to pilot your program, receive feedback, and iterate on your plan. Over time, you can roll out the program to more and more units until you’ve reached a campus-wide risk assessment.
Secure your stakeholders
With your goals aligned and a plan in place, you’ll also need to bring major stakeholders on board. This can easily be the most challenging part of getting a risk assessment program off the ground as it usually involves getting budget. If you’ve done your due diligence, you can easily make several compelling arguments to get your stakeholders onboard.
Conducting a risk assessment for the first time can be a starkly different undertaking depending on your goals and the size of your organization. Typically, it involves emailing spreadsheets to individuals across your organization. Then, periodically reminding them to complete them and send them back. Even if you’re successful at getting all of your spreadsheets filled out, you can easily end up with tens of spreadsheets and no efficient way of tracking it all. Fortunately, you can leverage a questionnaire-based risk assessment tool to help you efficiently launch, manage, and track your risk assessments.
Review your risk
Once you’ve concluded your first risk assessment you’ll have a wealth of insightful risk data. If you’re using spreadsheets, you’ll first have to spend some time and resources to create reports manually. However, if you’re using a questionnaire-based risk assessment tool, you can easily roll up the collected risk data from across your organization to create risk reports.
Implement and repeat
After a successful risk assessment, you’ll hopefully be able to take your insights to justify your security budget and focus your efforts where the most risk exists. You’ll also have learned a few lessons to help you streamline your process when the time for the next risk assessment rolls around.
Conducting a risk assessment can be a tall order and the hardest part is getting started. However, with your goals in check, a strategic plan in place, and the right risk assessment tool, you can go zero to risk assessment in no time. There’s no better time than now to begin a sustainable risk assessment process on your campus.
Isora GRC can help streamline your risk assessment process. See why the security & risk teams at The University of California, Berkeley and The University of Texas at Austin trust Isora GRC to help them conduct risk assessments.