Skip to main content

Resources

How To: Use Your Risk Assessment(s) to Make Better Decisions

How To: Use Your Risk Assessment(s) to Make Better Decisions

When “risk assessment” is mentioned to IT or Information Security folks, IT Risk Assessment is typically the first thing that comes to mind. Probably because IT Risk Assessment has been around the longest, at least from a regulatory-guidance perspective.


As important and measurable as the IT Risk Assessment can be, it is only part of the equation when it comes to assessing risk at your organization. Relying solely on a very granular, asset-based risk assessment to make decisions for your entire organization is not practical or logical. In fact, back in 2002, NIST published SP 800-30 - Risk Management Guide for Information Technology Systems, which shows that different tiers of risk assessments are necessary for organizations to understand different types of interconnected risk. The tiers range from the foundational, granular IT Risk Assessment (“Information System” in the below chart), to the departmental Mission/Business Process Risk Assessment, then the strategic Organizational Risk Assessment.


NIST SP 800-30 defined different tiers of interdependent risk assessments as follows:

NIST Risk Management Tiers
Figure 1 – NIST SP 800-30 on Risk Management Tiers


As risk management has evolved since 2002, the Tier 2 – Mission/Business Process level is now typically split out into two separate, functional areas to go along with IT Risk Assessment and Organizational Risk Assessment, as seen here:

Modern Risk Management Tiers
Figure 2 – Modern IS Risk Management Tiers (SBS)

 

How Do These Risk Assessments Work Together?

The IT Risk Assessment is the foundational, tactical, day-to-day operational risk assessment that takes a very deep dive into controls associated with very specific IT systems and assets. An organization must understand what it has, how those IT assets are being protected, and where the organization’s next information security dollar should be spent. IT Risk Assessment is risk assessment’s deepest dive and should look at numerous different types of controls, including asset-specific controls, network controls, physical controls, and organizational controls.


IT Risk Assessment then feeds the Vendor Risk Assessment, as our vendors not only represent risk themselves but also provide your IT systems and assets; likely hosting many of those IT systems and assets for your organization today. It’s important not only to rate your vendors on the health of their organizations but also on the IT systems and assets they provide to you. In many cases, if the vendor is hosting these IT assets on your behalf, they will have the ability and responsibility to implement risk-mitigating controls moreso than you.


IT Risk Assessment and Vendor Risk Assessment then roll up into the Business Impact Analysis (BIA). The BIA is a business-process risk assessment designed to help your organization understand the importance and recovery priority for each of your business processes. But to have a functional business process, your organization will require specific IT assets and the vendors that are providing you with those IT assets and services. Most business processes are dependent on specific IT assets, vendors, and sometimes other business processes being restored before that particular business process can regain functionality.


The top tier of risk assessment is the Organizational Risk Assessment. An Organizational Risk Assessment evaluates the entire organization from the top-down, based on the products and services the organization offers to clients or uses to perform business functions. Numerous Organizational Risk Management frameworks have been developed and are used for different industries, including the FFIEC Cybersecurity Assessment Tool (financial institutions), NIST Cybersecurity Framework (government), ISO 27001/2 (manufacturing), NIST 800-53, NIST 800-171 (Department of Defense contractors), HIPAA (healthcare), PCI Data Security Standard, CIS Top 20 Critical Security Controls, and the new FSSCC Cybersecurity Profile (financial institutions).


All four risk assessments must work in conjunction to build a strong Information Security Program at your organization. Each risk assessment is going to provide distinct, unique value while each being interconnected with one another.


But to properly risk assess ANYTHING, you must start with an ASSET (an “asset” can be an IT asset, vendor, business process, or organization) to which you apply controls. Then you measure how important that asset is to your business, how risky the thing can be, and how you protect the thing.


Asset-based risk management has been around and effective for a long while in the world of information security for a good reason; it’s the only way you can truly measure risk at your organization.

 

A Framework for IT/IS Risk Management

The purpose of performing a risk assessment of any sort is to make better decisions. Whatever you’re assessing, whether it’s a loan, a vendor, and IT asset, or telling your spouse that the way he or she loads the dishwasher is, in fact, incorrect… you’re assessing risk to make the best decision.


A risk assessment that is designed simply to meet regulatory compliance or check-the-box will forever be an exercise in futility. If you only update your risk assessment when your auditors or examiners are about to arrive onsite, or the risk scores are merely adjusted to change a few “highs” to “mediums” or “mediums” to “lows,” then you’re likely wasting time and effort.


If, however, your risk assessment can truly help you to make better decisions, then you’ve got something of real value.


So, if that’s the case, and mitigating your risk is all about making better decisions, how do you make better decisions regarding IT or IS risk? Is there a formula or a methodology that not just super-technical people can understand? GOOD NEWS: there sure is. Here’s what a valuable IT Risk Assessment framework looks like:

IT Risk Aassessment Residual Risk

Figure 3 – Risk Management Framework


For a deep-dive into how to use this risk management formula to quantify your IT risk, including the details of measuring Protection Profile, Threats, Inherent Risk, and Residual Risk, check out our previous article How to Build a Better IT Risk Assessment here.


For now, however, we’re going to focus on an asset-based risk assessment and what it gets RIGHT.

 

Know What You Have to Protect

In the world of Information Security, our #1 priority is to protect confidential customer information. You cannot, however, protect customer information if you don’t know where that information is stored, transmitted, or processed. So where do you start with risk assessment? The answer is: an IT asset.


Why start with an IT asset? Because risk-mitigating controls are applied to IT Assets, not to threats or types of information. For example, you can’t pull information out of the air and give it a password. You must set password standards on each of your IT assets –firewalls, workstations, servers, phones, etc.


Therefore, you must first identify your IT assets and how important those assets are to your organization. We like to call this “importance” rating a Protection Profile. Performing a valuable IT Risk Assessment is impossible if you don’t know what you’re protecting in the first place.


An asset-based approach to IT Risk Assessment isn’t a novel concept or a recent invention. This approach to IT Risk Assessment has been around for quite some time, starting with NIST 800-30 back in 2002, and having been adopted by ISO 27001, ISACA, and the FFIEC. In fact, the FFIEC’s IT Management Handbook is essentially dedicated to helping financial institutions perform an asset-based IT Risk Assessment.


When starting at the IT asset level, it’s important to understand two things:

  1. How do you define your IT assets?
  2. How important are each of your IT assets?

 

Defining Your IT Assets

The quick definition of an IT asset is something that stores, transmits, or processes confidential customer information. However, an IT asset doesn’t have to be limited to a singular component of IT hardware; an IT asset can be a combination of hardware, operating system/firmware, and software (application) in some cases.

IT Risk Assessment Asset Components
Figure 4 – IT Risk Assessment Asset Components


In some cases, an IT asset may only be one of these components (typically an application); however, an IT asset may encompass two components (a computer plus an operating system) or all three components (what we’d call a “system”).


Take for example an Internet Banking System. There’s not a single hardware component that defines an Internet Banking System; it’s a combination of hardware, software, and data. Sure, you could break each of them down granularly and assess each individual component, but if they are each separate and independent, they are not an Internet Banking System. It’s important to assess these interdependent assets together into an IT asset that you can reasonably evaluate risk.


Similarly, a user workstation is a combination of an operating system and computer hardware. Each of those two things cannot exist in the same capacity without one another. Why not assess them together?


Regardless of how you define your IT assets, the most important factor to an IT Risk Assessment is consistency. Make sure to document how your organization defines an IT asset, as well as what is considered when assessing an IT asset. These definitions will build consistency into how IT assets are assessed, especially if additional employees or departments are involved in the risk assessment process.

 

Understanding Your Most Important IT Assets

Now that we’ve defined what an IT asset can be, let’s talk about how you go about understanding which IT assets are most important. Here’s where Protection Profile comes into play.


The goal of the Protection Profile is to determine how important an IT asset is to your organization based on the information it stores, transmits, and processes. The Protection Profile for each asset can be calculated based on four (4) ratings: Confidentiality, Integrity, Availability, and Volume (otherwise referred to as “CIAV”). Each of these four ratings should be assigned a numeric value representative of its importance; for example, you might use a three-tier system: High (3), Medium (2), or Low (1), to value each of these four ratings for an IT asset.


Once you have a quantifiable score for each of the CIAV fields, you will be able to calculate a Protection Profile by adding up these four assigned values. All four values being “High” would give the IT asset a Protection Profile of 12 (most important), and all four values being “Low” would result in a Protection Profile of 4 (least important). This methodology allows you to essentially turn an apples-and-oranges comparison (core banking system vs. file cabinets) into an apples-to-apples comparison.


Once again, please check out our previous article “How to Build a Better IT Risk Assessment” on a deeper dive into defining the CIAV: https://sbscyber.com/resources/article-how-to-build-a-better-it-risk-assessment

 

Mitigating Your IT Risk

An IT Risk Assessment shouldn’t simply look at logical, IT asset-specific controls, however. Viewing IT risk through the lens of only the controls that may be implemented on that lone asset will not provide a full picture of the risk associated with that asset throughout your organization. Instead, taking a holistic approach to controls is more practical.


Controls that mitigate risk to an IT asset can be broken down into six (6) categories and grouped into three (3) groups:

Risk Mitigation Control Groups

Figure 5 – Risk-Mitigating Control Groups


Controls Group 1 is representative of risk-mitigating controls that are applied globally at an organization. This Group includes Organizational controls, Vendor controls, and Network controls.

  • Organizational controls typically represent governance-type risk-mitigating controls that are applied organization-wide and mitigate risk to specific IT assets. Examples of Organizational controls include security awareness training, business continuity or incident response plans and testing, acceptable use policies, asset inventory, clear desk awareness, and more.
  • Vendor controls include any controls implemented by the vendor to mitigate risk to specific IT asset.
  • Network controls include technical or logistical controls that are implemented globally as well, including ingress or egress firewalls, SIEM, DLP, DMARC, application whitelisting, intrusion detection or prevention, vulnerability assessments, penetration testing, and more.


Controls Group 2 gets a bit narrower and covers Hardware/Physical controls and Operating System specific controls.

  • Hardware/Physical controls include controls that can be applied to an IT asset if the asset you’re assessing has a physical component, such as a server or a workstation. Not everything assessed in an IT Risk Assessment has a physical component anymore, such as applications, so that’s an important distinction.
  • Operating System controls are also in Group 2, which can include Active Directory-related controls, Windows updates and patches, access time restrictions, and more.


Controls Group 3 covers the Application (Asset-specific) controls. Applications can exist without hardware (e.g., you access those apps from the Internet, and applications are portable from one physical IT asset to another), so this control group considers the controls that only apply to the application itself, not the organization, hardware, or operating system.

  • Application controls will likely make up the bulk of your IT Risk Assessment controls and include all the usual suspects, such as data backups, strong passwords, user access restrictions, multi-factor authentication, logging and monitoring, and many more.


Considering controls from all three groups helps your organization not only assess the application/asset specific risk, but the risk that the asset poses to the entire organization. There will be cases where certain groups of controls do not apply to specific types of assets. For example, Network, Hardware, and Operating System controls will not apply to a web-based Application. However, those control groups would apply to a Server hosted within your premises.


IT assets don’t exist in a vacuum, and neither should the way you look at the risk of those assets.

 

Included Controls vs. Excluded Controls

Perhaps the biggest secret of IT Risk Assessment is understanding not only the controls that your organization has implemented to mitigate risk, but also the controls that you COULD but are NOT implementing to mitigate additional risk. If you only look at the things you’re doing to mitigate risk, how do you quantify how much risk you’ve mitigated?


To truly understand both your Residual Risk (the risk that remains after implementing mitigating controls) and what you should do next, you need to know what else you can do to mitigate additional risk. The good news is there are a ton of resources you can use to identify the risk-mitigating controls you’ve not previously considered, including FFIEC Cybersecurity Assessment Tool (CAT), FFIEC Booklets, NIST 800-53, NIST Cybersecurity Framework, and the CIS Top 20.

 

Risk Assessment = Make Decisions

The goal of any risk assessment is to make better decisions. So how do you make better decisions based on the IT Risk Assessment?


First and foremost, your IT Risk Assessment must be measurable. You need to understand how important the IT assets you have are to your organization, as well as the Inherent Risk of your IT assets. Then, you have to determine how much Residual Risk you’re actually mitigating, as we talked about in the Included Controls vs. Excluded Controls section. Once you understand how much risk you have and how much risk you’re mitigating, you can start to set goals around the percentage of risk you’re mitigating.


Determining your acceptable levels of risk (Risk Mitigation) will help you not only to determine which IT assets are meeting risk goals, but what else you should be doing to mitigate risk around those IT assets AND where you should spend your next Information Security dollar.


Figure 6 – Example of IT Risk Assessment Goals and Risk Mitigation


Most IT Risk Assessments don’t close the loop on the risk management process by helping you understand what to do next, i.e. make decisions. If your IT Risk Assessment doesn’t help you to continuously improve security maturity or make decisions, then you’re merely checking the risk assessment box to appease regulators and not using your risk assessment(s) to improve your organization.


That is what an asset-based risk assessment gets RIGHT!



Written by:
Jon Waldman
Partner, EVP of Information Security Consulting - SBS CyberSecurity, LLC

 


SBS Resources:

  • TRAC is our integrated cybersecurity risk management solution developed to simplify cybersecurity risk management and assist users with tackling their cybersecurity challenges with ease. It automates the tedious risk assessment process and produces customized results that align with regulation, best practices, and your strategic goals. Learn more about how TRAC can help you make more informed security decisions.
  • {Article} How to Build a Better IT Risk Assessment: A comprehensive, measurable, and repeatable IT Risk Assessment should be used to help an organization make better decisions. Without a detailed framework, any money spent on information security is akin to throwing darts at a board. Read More
  • {Blog} Risk Assessment: Qualitative vs Quantitative: Qualitative or Quantitative? The risk assessment methodology you use should depend on what you are trying to measure and what outcomes you’d like to see from that measurement. Read More

 

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Business Security Manager   Certified Banking Security Technology Professional


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Monday, March 4, 2019
Categories: Blog