First, it’s important to recognize a risk assessment can be conducted at a business level or it could also be done for category-specific areas, such as information security. This document speaks more specifically to the information security category, although we recommend everyone conduct an overall business risk assessment also.
A risk assessment begins with identifying what your valuable business assets are, and what unwanted events might affect those valuable business assets. For example, you might be using a server to host a web page that sells your products. If over 10% of your gross business profits flow through the website, we would consider the server to be a valuable business asset. Events that might negatively affect the server and interrupt the flow of business revenue may include natural disasters, theft, hacking or malware, and even insider threat (malicious or accidental).
A risk assessment also looks at how likely unwanted events might occur, and recommends defensive actions based on that likelihood. For example, if an earthquake will destroy the example server about every 500 years, guarding against that destruction might not be a high priority. However, if a hacker is expected to render the example server inoperable once every six months (on average), it becomes a much higher priority to guard against hackers.
A risk assessment is normally performed because businesses have limited resources – both for time and money. Because guarding against all risk is generally cost-prohibitive, it’s important to know how to prioritize efforts to address those risks that are most likely/costly and will have a larger impact on business operations. Therefore, the main purpose of a risk assessment is to develop a list of mitigation priorities that match your business’s budget and resource availability.
What Kinds of Risk Assessments Are There?
Risk assessments usually only differ by scope, or how many areas the risk assessment covers. A general information security risk assessment is designed to assess how mature your security controls are compared to common industry frameworks such as CIS Top 18 or NIST CSF. Risk assessments can also be conducted for targeted areas, such as for business continuity / disaster recovery, and are generally designed to assess how much risk exists considering currently applied security controls. Targeted risk assessments may also be conducted when it is doubtful risk has been considered for all in-scope systems.
Security audits are different from risk assessments. A risk assessment evaluates security controls applied to reduce risk. A security audit is a risk assessment with additional effort added to confirm applied security controls are operating as intended. This additional effort offers the highest assurance that appropriate security is in place for protecting assets and reducing risk.
Security certifications are different than risk assessments. Certifications are sponsored by various organizations, and always involve some form of independent security audit to verify compliance with their security framework. The security audit is followed by the auditor reporting the results to the sponsoring organization in an approved format to finalize the certification process. Security certifications are used in many industries to recognize a business has reached a standard for information security that does not need to be re-verified by them. A popular example of a security certification is a SOC 2 Type 2 certification which is used to verify data center operations are using best-practice security controls.
How Do I Perform a Risk Assessment?
Risk assessments may be conducted by internal resources, or they may be contracted by an external evaluator. If a partner organization is asking about the results of your most recent risk assessment, they are much more likely to be satisfied with an external evaluation rather than an internal evaluation. We recommend organizations begin by conducting internal risk assessments, followed by contracting an external evaluator to confirm the accuracy by performing an independent assessment.
Conducting a risk assessment follows basic auditing steps:
- Establish the scope of the evaluation.
- Ensure all assets and resources that are within scope are identified and considered.
- Identity all assets above a pre-determined threshold for business importance. (Most organizations recognize their assets are interconnected and choose to review security controls for all assets within a given scope.)
- Identify security controls protecting in-scope assets.
- Identify possible threats to in-scope assets.
- Determine the probability a threat will result in a risk being realized (also considering current security controls that are functioning properly).
- Use the value of the resources and the
- Use the value of the resource(s) and the threat probability to determine the risk to the resource(s).
Note that using a security framework for reference while conducting a risk assessment can be very helpful to ensure key elements of security are not missed.
How Do I Use a Risk Assessment?
Risk assessments are used for a variety of purposes:
- Continuous Improvement Most people recognize the pace of technology change in today’s environment remains high. With the ever-growing list of vulnerabilities and the ever-changing list of threats in the marketplace, risk assessments can be an important opportunity to evaluate how a security team is doing, and to identify what the next steps for maintaining good security need to be.
- Regulatory Compliance Many industries are regulated or contractually obligated to maintain good security. Examples include: businesses that take credit cards (PCI), healthcare and health insurance industries (HIPAA), businesses that deal in personally identifiable information (PII/Privacy law), and many others. A risk assessment or security audit is often required to maintain compliance with current requirements.
- Partner Verification Companies are realizing their security doesn’t just depend on their own efforts, but their security also depends on the efforts of their partners. The demand for partner-to-partner security verification has grown exponentially in the last 5 years. Many partners will require some assurance your security controls are appropriate before sharing sensitive data or providing access to sensitive systems. A comprehensive independent risk assessment can satisfy this need. You can also take the next step and obtain a security certification such as ISO 27001, SOC 2, HITRUST, or CMMC.
Contact Us
Risk assessments and security audits are an essential tool in today’s marketplace. Whether you’re using this valuable tool for peace of mind that your security is adequate or have discovered a certification to be an essential portal to conducting business with a business sector, there are many reasons to verify you have all the right pieces in place to defend the high-risk areas of your business.