What is an Information Security Risk Assessment?
Risk assessments are not only vital, but also government-mandated for organizations that store information technologically. Risk management is especially critical for organizations that hold sensitive information and data, such as medical, law enforcement, financial and commercial-oriented organizations, and for anyone maintaining private, personal information whose data loss could compromise their confidentiality, integrity and assets. By determining vulnerabilities and threats to their systems, information security risk assessments can provide the organization with a rating of the security of their information and suggest how to improve their security through a risk equation.
Who Is Involved?
Typically, risk management and assessment fall under an organization’s IT department or the process owners—those who are in charge of the process under inspection. The system administrator, the technical reviewer, the system technical owner, the risk assessment manager and the information security officer all have involvement at different stages in the process. Management often get involved since they are technically the risk owner, and thus have a stake in the information maintained by the system and must pay for any solutions to the issues.
Steps To Implementation
While risk assessment and management entail a continuous process of vigilance to maintain the best possible security for an organization’s information, there are several approaches that follow roughly the same procedure. However, no single method of proceeding with a risk assessment is the same since each organization will differ with the scale and kind of data it maintains and the technology it uses.
An information security risk assessment begins with a definition or set boundaries concerning the system being addressed and the information it maintains: what is the system’s function, physical components, location, applications, supporting processes, environment, users and accounts? What kind of information does it maintain? It helps to prioritize the information handled by the system by sensitivity to get the best idea of the potential threats posed to it.
The meat of the process is in this stage, which identifies:
- Vulnerabilities, or weak parts in the system that could be exploited or even unintentionally create a threat.
- Threats, which are made potential by system weaknesses. They can come from malicious sources, the environment, technical malfunctions, user error, faulty software, unauthorized access, misuse of information, data loss and so on.
- Consequences of each identified vulnerability and threat and their severity based on the information under threat.
- Likelihood of a threat to occur in the future, both before and after more security measures are in place.
- Controls currently in place to strengthen the system against vulnerabilities and threats. Controls can look like user authentication, encrypted data and firewalls.
Essentially, risk comes down to a system’s combination of the above factors and their relation to each other. Each vulnerability can present numerous threats of varying magnitudes to the organization, all of which must be investigated in a thorough assessment. A system’s capabilities and maintained information will determine the severity of a threat. A small consequence could lead to minor repairs and perhaps some embarrassment on the organization’s part, but severe consequences could mean a damaged reputation and lost or compromised data and resources.
The goal of any risk assessment is to suggest updates or new security features that help prevent vulnerabilities and threats in the future, especially ones with larger consequences. Recommendations may be updating current controls and patching the system to prevent malicious attacks and software breaches, ensuring valuable information in case of loss and revising employee policies to include new measures to avoid unintentional threats within the organization.
Different Frameworks & Approaches
According to TechTarget, frameworks defining what is assessed and the criteria for grading a system may rely on quantitative and qualitative analyses that either seeks to give all factors a numeric score that influences the kinds of mitigation suggested or describe the significance or impact and necessary security measures.
Though the approaches may be similar, they depend on distinct definitions to help guide their assessments and results. OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) is the most well-known approach; however, it is biased toward information as an asset. OCTAVE is useful because it provides helpful templates for documenting each stage of the risk assessment. NIST, on the other hand, uses a more vague definition of an asset, meaning the system, other technology and even people can be deemed assets. NIST is more straightforward and focused, ideal for organizations running a risk assessment for the first time. ISACA’s RISK IT and COBIT are well-rounded assessment methods, while ISO 27005:2008 focuses on security alone.
The Value Of Assessing Information Security Risk
Not only does it meet government regulations on organizations with such systems in place; risk assessment is good for getting management in on the processes and significance of the IT team and the system itself by giving the IT team justification for security spending by validating the potential for risk each time. By making the business side of the organization more aware, IT has the opportunity to prove their own worth and the worth of the system and information they maintain.