Your IT risk assessment is one of the most important pieces of a solid Information Security Program. A strong IT risk assessment helps in the development of strong policy as well as the improvement of an organization's security structure. However, not all IT risk assessments are equal. To get the most value from your IT risk assessment, which, in the end, allows you to make stronger security-minded decisions, there are going to be some features that must be included. The way you lay out your assets, threats, and controls in your IT risk assessment is critical in not only identifying risk to the organization but identifying where that risk lies and what your organization should be doing about it.
Identifying Assets
To ensure IT assets, both internally and externally hosted, are included in your organization's risk mitigation strategy, you must include all of the IT assets you use in your IT risk assessment; not simply the assets that you maintain on the organization's network. Remember, just because an asset is hosted at a data center doesn't mean the responsibility of securing the data being stored, processed, and transmitted through/on that asset shifts to the data center. It's up to you to determine whether that data center would protect your information properly and to the standard that you already have set at the organization.
To ensure your IT assets are protected appropriately, you must review those protections through your IT risk assessment. One of the more important decisions your risk assessment can help you make is whether to risk assess a certain IT asset, whether it is a certain locally-installed software, server, workstation, web application, online banking product, or wireless internet.
When defining an IT asset in the IT risk assessment, there are three components to identify:
- Hardware
- Operating System
- Application
IT assets may be only one of those three components or the asset may include multiple or all three components. For example, a server or workstation is a combination of hardware and operating system, but the software and applications on the server or workstation will not be assessed, as they'll be assessed individually as separate IT assets.
When identifying our IT assets, you should also be considering how valuable that IT asset is to your organization. We at SBS call the value of an IT asset the "Protection Profile." Not all assets expect to be given the same amount of attention or mitigation. A Protection Profile, like the image displayed below can help determine how important an asset is, while also allowing the organization to set different expectations for more important assets with a higher Protection Profile while maintaining lower expectations for assets with a lower Protection Profile. This is extremely valuable in allowing you to prioritize and focus on the assets that are extremely important and handle highly sensitive customer information.
Threats
Addressing threats is done very differently amongst risk assessment tools, and how the tool handles threats may be a major determining factor in how well your risk assessment helps guide and improve the organization's risk structure. If threats are not detailed properly, you are probably not considering a wide enough scope for your mitigating controls.
For example, if you are only considering a couple of threats such as "malware" or "ransomware," your scope of remediation and controls to consider within the risk assessment is likely to be limited to controls mitigating risk to those threats such as your anti-virus, firewall, etc. While those threats are great threats to consider, your IT risk assessment should have a comprehensive list of all types of threats. A more detailed listing of threats that consider other attack vectors that may be more physical in nature, such as theft, or perhaps threats that target the system through your employees, such as social engineering or phishing can really help break out that scope so that the risk assessment doesn't have such a limited focus.
Controls
When considering a larger threat pool, it is much easier to detail controls for the mitigation of those threats. Even more, if your IT risk assessment is detailed enough, it can more easily be used to identify controls to implement in the future in an effort to constantly improve our risk exposure. It's one thing to identify the controls that are currently implemented (included controls); it's another to be able to identify those controls as well as the controls you don't have implemented (excluded controls), while also being able to identify additional controls to implement in the future for assets that you feel need to have more risk reduction (future controls).
As an ISO/CISO, if you were to bring your IT risk assessment to the board of directors, and the board was to ask you what the plans were to address the risk identified in your risk assessment, you should have an answer. Perhaps that answer is that the implementation of an SIEM was added to your strategic plan as a way to mitigate risk for assets on your network, addressing an over exposure of risk for workstations and servers. Perhaps your answer is more complex, and your mitigation plan includes a listing of smaller controls, such as enforcing strong passwords on your most critical IT asset, reviewing activity and access logs on workstations, or enabling a session expiration on an important software application.
Either way, being able to identify what you are not doing and what you would like to do is especially important when determining the next steps for risk mitigation or resolving security issues with your network. Figuring out what to do next becomes more difficult when your IT risk assessment only includes the controls you currently implement.
Risk Mitigation Strategy
One of the most important uses of an IT risk assessment is to constantly improve your security posture and identify where your biggest weaknesses lie. If one piece of your IT risk assessment truly helps you make decisions, it's your risk mitigation strategy. Establishing your risk mitigation strategy allows you to set goals for the organization, setting an expected mitigation percentage for your IT assets based on the importance of the asset (Protection Profile).
For example, looking to mitigate as much risk for a printer as you would for the system that stores your most confidential customer information would not make a whole lot of sense. The system that stores your confidential customer information will certainly have a much higher Protection Profile, thus requiring more mitigation.
The way an organization sets up its risk mitigation strategy can help establish continual improvement to your overall security posture, as well as a strong method for weeding out insecure assets. If you're looking at a new IT asset you'd like to implement, but when doing your preliminary review and risk assessment, you find the asset is not mitigating nearly enough risk to be compliant with your mitigation strategy, you now have one of two options:
- You can disqualify that asset, deeming its risk mitigation inadequate to be used as part of the organization.
- You can discuss additional controls that would be possible to implement in order to bring that asset to an acceptable level of risk, which can sometimes be done through proper administrative setup, such as password protection, logging, session expiration, etc.
With either option, you would have been able to prevent an improperly secured asset from being added to the network.
Being able to identify your risk and identify improvements, whether that is for one stand-out asset or across multiple assets, is incredibly valuable. An organization should always know what their next focus is when it comes to IT risk mitigation. Once you get past the major risk outliers, how do you determine what that focus might be?
Remaining or Residual Risk
Assets that maintain the most residual risk are going to be the riskiest assets at the time of completing your risk assessment, giving you a great target for further mitigation. While those assets with a high inherent risk score are important, these assets may already have a significant number of controls implemented, significantly reducing residual risk. This would make the inherent risk score a less-valuable metric to use when determining where to focus your funds on mitigation.
This type of information can also be a great focus when discussing the results of your risk assessment with your board of directors or senior management. Intricate data on threats and controls may be difficult to understand for people outside of the IT/cybersecurity world, but remaining (residual) risk can be understood by anyone.
Additionally, determining the percent of risk mitigated from inherent risk to residual risk can also help your organization quickly understand how much risk has been mitigated for an IT asset. You can also then determine if the risk mitigation percentage for an IT asset is acceptable based on the risk mitigation strategy described above.
When asked how to interpret the risk assessment, focus on the Protection Profile (importance of an IT asset), residual risk score (how much risk remains after controls), and the percent of risk mitigated. These three metrics will help you determine where you should spend your next risk mitigation dollar(s), especially when it comes to proper budgeting and strategy. To assure the resources are available, the board/senior management is going to need to understand your reasoning to ensure funds are spent wisely.