ZenGRC

Simply Powerful GRC

ZenGRC Team

What is an Internal Penetration Test and How Are They Done?

· ·

What Is an Internal Penetration Test, and How Is it Done?

A famous 2011 article by security adviser Roger Grimes is intriguingly titled, To beat hackers, you have to think like them. In the article, Grimes explains that IT security professionals must view IT systems through the eyes of hackers — and search for ways to break into these systems, identify weaknesses, and create robust security measures.

That is precisely what penetration testing is all about.

What Is Penetration Testing?

Understanding penetration testing and the value it provides is crucial to your overall risk management strategy. Unlike traditional defensive cybersecurity strategies, which focus on remediating a security event and mitigating its harm, “pen testing” is an offensive security testing strategy focusing on prevention.

Penetration tests differ from a vulnerability scan, an automated, high-level security vulnerability assessment to identify known vulnerabilities, a lack of security controls, and common misconfiguration errors.

A penetration test (pen test) is also known as a white hat attack or ethical hacking. It is performed by a skilled penetration tester using detailed, hands-on, manual testing techniques and tools to simulate a cyber-attack. Testers explore the target system and its applications, devices, services, and user behaviors to identify vulnerabilities and security flaws.

A pen tester investigates the potential effects of these flaws on the network and, ultimately, on the organization. The tester may also:

  • Discover security policy errors
  • Ascertain weaknesses in vulnerability identification processes and security controls
  • Review security awareness in the organization.
  • Identify compliance issues related to relevant industry standards or regulations, such as HIPAA, PCI DSS, or GDPR

The goal is to identify security weaknesses or vulnerabilities that a threat actor, cybercriminal, or data thief could exploit to compromise the system, disrupt operations, demand a ransom, or steal sensitive data. The tester may leverage some of these methods:

  • Social engineering to convince an insider to reveal sensitive information such as login credentials
  • Send phishing emails to access critical accounts or test employees’ security awareness
  • Use stolen or unencrypted passwords to access sensitive systems or data

At the end of a pen test, the tester prepares a detailed report, which allows security teams and network administrators to understand and remediate the identified vulnerabilities and exploits.

Who Performs Pen Tests?

Penetration testing is performed by ethical hackers who methodically compromise systems to uncover security vulnerabilities before cybercriminals can exploit them. Skilled penetration testers simulate real-world attacks to validate an organization’s cybersecurity posture.

External security consultants are often leveraged to perform objective penetration tests. Third-party ethical hackers bring fresh perspectives since they are not biased by internal assumptions. Their outside vantage point helps expose overlooked risks and security gaps in networks, applications, APIs, and endpoints.

For internal pen tests, organizations build dedicated red teams. Their insider knowledge helps create accurate threat models to assess risks. However, internal teams can overlook vulnerabilities that outside testers may catch.

The most skilled penetration testers think creatively and adapt on the fly. They stay up-to-date on the latest techniques and tradecraft. With curiosity, persistence, and drive, experienced professionals and self-taught hackers can become standout ethical hackers.

What Are the Different Types of Penetration Tests?

There are many types of pen testing based on the system being tested.

Network Pen Tests

The ethical hacker tests network security by hacking into the network via various attack vectors such as:

  • Phishing emails
  • Third-party software
  • Password guessing

Network pen tests can be done locally or remotely.

Hardware Pen Tests

The tester exploits vulnerabilities in internet-enabled devices, such as security cameras, networked printers, and smart home systems.

Web Application Pen Tests

Testers check the security of enterprise web apps, APIs, and software.

Mobile Pen Tests

The tester attempts to find vulnerabilities in the organization’s mobile app.

Wireless Pen Tests

This test involves connecting to open, less secure hotspots or Wi-Fi networks to understand how threat actors may exploit them to compromise the enterprise network.

Physical Pen Tests

In such tests, the tester tries to break into a physical space to gain unauthorized access to its IT systems or other physical assets, perhaps by posing as a contractor or service technician.

The ‘Boxes’ of Pen Tests

Pen tests can also be classified as black box, white box, or gray box, depending on how much information the tester has about the target system.

Black Box Pen Tests

The tester has no specific information about the target system, only high-level information that could be found anywhere, such as the company name. The tester carries out detailed reconnaissance to find and exploit vulnerabilities. Since testers work “blind,” black box pen tests take a lot of time to perform, but these tests also closely resemble what a hacker would know when approaching a target.

White Box Pen Tests

The tester has prior information about the target system, including its IP addresses, network infrastructure schematics, operating system, source code, and so forth, which the tester uses to simulate an internal security attack. Although more detailed than black-box tests, white-box pen tests still provide valuable insights.

Gray Box Pen Tests

Before starting the test, the ethical hacker knows a user with elevated privileges. This method is suitable for simulating the possible actions of internal attackers with long-term access to the target system.

The Stages of Penetration Testing       

Organizations use penetration testing to validate their cybersecurity posture against real-world attacks. Skilled penetration testers and ethical hackers methodically compromise systems safely to uncover vulnerabilities before criminals exploit them.

A thorough penetration test simulates motivated adversaries’ tactics, techniques, and procedures. It typically involves five phases:

  1. Planning: Defining the scope, rules of engagement, testing methodologies, and target systems. Gathering open-source intelligence on the organization’s web applications, network infrastructure, and other digital assets.
  2. Discovery: Scanning networks, Application Programming Interfaces (APIs), wireless signals, and applications for vulnerabilities. Performing non-intrusive vulnerability scanning to create an inventory of security issues.
  3. Attack: Attempting to exploit identified vulnerabilities through techniques like Structured Query Language (SQL) injection, password cracking, Cross-Site Scripting (XSS), and social engineering and trying to achieve escalation of privilege, data exfiltration, or denial of service.
  4. Persistence: After gaining access, maintaining footholds within systems to model Advanced Persistent Threats (APTs). The goal is to assess how well security controls detect and respond to simulated cyberattacks.
  5. Analysis: Documenting which vulnerabilities were successfully exploited. They provided remediation guidance and risk assessments to strengthen cyber defenses, quantifying overall security posture against real-world adversaries.

Penetration Testing Methods

Organizations use different penetration testing methodologies to validate security controls against cyberattacks.

External Pen Testing

External testing targets public internet-facing systems like websites, web applications, email servers, APIs, and network infrastructure. It focuses on remotely exploiting vulnerabilities to breach perimeter defenses. External pen testing simulates real-world attacks by external threat actors.

Internal Pen Testing

Internal testing evaluates insider risks from compromised accounts, phishing, social engineering, and rogue employees. It exercises lateral movement, privilege escalation, and data exfiltration post-access. Internal pen testing evaluates controls like network segmentation, identity and access management, and security monitoring.

Blind Pen Testing

Blind pen testing does not inform the testing team of test details or timing. This models undetected cyberattacks from zero knowledge, like real-world threats. Blind testing assesses incident response capabilities against unknown attack vectors.

Double-Blind Pen Testing

Double-blind testing keeps the red team penetration testers and blue team defenders unaware. This mimics detecting and responding to new vulnerabilities and exploits on the fly. Double-blind testing evaluates readiness against zero-day attacks.

Targeted Pen Testing

Targeted pen testing involves collaboration between ethical hackers and security staff. The focus is rapidly identifying and remediating vulnerabilities or gaps in security controls. Targeted testing provides real-time security guidance and training.

The Differences Between Internal Penetration Testing and External Penetration Testing

Every pen test is a multi-phased process involving these steps:

  • Scoping
  • Reconnaissance (intelligence gathering)
  • Threat modeling
  • Exploitation and post-exploitation
  • Analysis and reporting
  • Re-testing

However, the specific goals, methodology, conditions, and targets can differ quite a bit depending on whether the enterprise chooses internal or external penetration testing.

In external pen testing, the tester tries to simulate how an external user without proper access and permissions could exploit open vulnerabilities in the internal network. Essentially, the tester acts as a malicious outsider or hacker who might try to attack the organization.

Internal pen testing is about understanding how a threat actor with inside access could exploit the network’s vulnerabilities. It also tries to determine what information could be exposed to this insider.

It’s usually best to conduct both external and internal pen tests to understand system security weaknesses and strengthen the enterprise security posture.

What Is Internal Penetration Testing?

An internal pen test is usually done after completing an external pen test. It imitates an insider threat and identifies how an attacker with internal access may compromise or damage the network, systems, or sensitive data.

Typically, the starting point of an internal network penetration test is a user with standard access privileges. The tester may work with these common scenarios:

  • An unhappy rogue employee (malicious insider) who tries to compromise or damage the system
  • An external malicious attacker who accesses the system via social engineering, phishing scam, or stolen credentials

Most organizations focus on external security threats. Yet internal threats — from malicious insiders, careless employees, insecure third-party vendors, and even clients or customers — are equally (if not more) serious than external threats.

Research shows that from 2018 to 2020, insider incidents increased by 47 percent. Moreover, in 2020, the total average cost of insider threats was $11.45 million, 31 percent higher than the $8.76 million in 2018. In 2021, insider threat incidents are expected to grow by 8 percent, and one-third of data breaches are projected to result from insider threats. These threats can come from:

  • Weak or shared passwords
  • Weak access controls
  • Insecure file sharing or unencrypted data
  • Network misconfigurations
  • Lack of awareness about social engineering and phishing
  • Ransomware attacks
  • Insecure remote networks and devices

It’s crucial to identify these threat vectors and address them on priority. For this, internal penetration testing is critical.

How to Do an Internal Pen Test

In internal pen tests, the tester may test:

  • Computer systems, workstations, and mobile devices
  • Servers
  • Wi-Fi networks
  • Access points
  • Firewalls
  • Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
  • Internet-connected HVAC systems
  • Cameras
  • Employees (behaviors and procedures)

Once the tester identifies data security vulnerabilities in these components, they will try to exploit them to understand the potential for unauthorized access and damage. The tester will also provide a detailed report so the enterprise security team can take the necessary actions to close discovered vulnerabilities as soon as possible.

There are many ways to conduct internal pen tests. The tester may use privilege escalation, steal credentials, spread malware, leak information, or carry out other malicious activities like man-in-the-middle (MitM) attacks. Different standard internal pen testing methodologies include:

  • Internal network scanning
  • Port scanning
  • System fingerprinting
  • Firewall testing
  • Manual vulnerability testing
  • Password strength testing
  • Database security controls testing
  • Network equipment security controls testing

The tester may also carry out internal network scans to find known Trojans and check third-party security configurations to minimize the risk of supply chain attacks.

To carry out these tests, white hat hackers can choose from many pen testing tools, including:

  • Nmap: An open-source port scanner utility for network discovery and security auditing
  • Rapid7’s Metasploit: A framework to probe and verify enterprise vulnerabilities
  • Wireshark: An open-source network protocol analyzer to assess vulnerabilities in network traffic in real-time

Let ZenGRC Help With Penetration Testing

To protect your organization from cyberattackers, hackers, and even malicious insiders, it’s essential to think like them, simulate their actions, and actively test the enterprise network. A robust penetration testing plan is integral to your risk management strategy.

Instead of using spreadsheets to manage your information security program, adopt ZenGRC’s governance, risk management, and compliance platform to automate and streamline tasks and documentation management. 

Schedule a demo today to see how ZenGRC can strengthen your security posture.

Risk Remediation vs. Risk Mitigation

· ·

Risk Remediation vs. Risk Mitigation

Remediation and mitigation are words commonly used interchangeably to describe a wide variety of risk management measures within an organization or project. They are, however, distinct concepts under enterprise risk management (ERM) principles, with particular relevance for safeguarding the organization and its stakeholders.

Remediation activities focus on fixing a problem to avoid or prevent the arrival of a risk. For example, in the cybersecurity world, remediation measures are usually related to patching vulnerabilities with software updates, to eliminate those weak spots in your cyber defenses.

On the other hand, mitigation measures focus on reducing the potential damage of a threat, to levels that are tolerable for the company or that can be accepted based on a cost-benefit analysis. Mitigation activities address vulnerabilities that can’t be addressed via remediation — perhaps because remediation of one issue might cause other risks, or the costs of downtime would be too high to be worth the cost.

An effective cybersecurity program will weave together a blend of remediation and mitigation efforts, into one tapestry of better protection for the whole enterprise. So what are the critical differences between remediation and mitigation, and how can these concepts be leveraged to benefit businesses?

Risk Mitigation and Risk Remediation: Key Differences

The main difference between mitigation and remediation is the amount of risk containment or eradication.

Risk remediation seeks to eradicate identified vulnerabilities completely, either because the potential damage is so great or the remediation measures themselves are so easy to implement. Risk mitigation focuses on minimizing risks to a point where they are within the organization’s risk tolerance or can be accepted.

When remediating security risks, actions are focused on the root cause rather than its manifestations or consequence. Risk mitigation operates the other way around: addressing a risk’s manifestations and consequences, rather than the root cause. So it’s even possible that risk mitigation activities might be a temporary measure to give IT security teams time to engage in more permanent risk remediation.

Eradicating a vulnerability is often more challenging to achieve than reducing its effects, so within an overall vulnerability management program, both measures are used together to protect the company from cyberattacks and to minimize attack vectors without impacting process uptime.

Sometimes mitigation may not be enough to comply with regulatory compliance obligations. The PCI DSS standard for credit card security is a good example of this; it requires remediation measures within 30 days of notification of risk higher than four (4) on the common vulnerability scoring system (CVSS) scale.

Implementing Risk Mitigation vs. Risk Remediation Processes

Whether your goal is to remediate or mitigate vulnerabilities, it’s essential to maintain a robust risk management plan and ongoing risk and vulnerability assessments. These are common elements of mitigation and remediation processes and critical requirements to develop other cybersecurity strategies.

Mitigation processes can be general and applicable to different cases. Basic tools of a risk management program can be maintained over time to address similar attack vectors or vulnerabilities of the same type. For example, introducing a firewall rule to prevent the entry of packets on a particular port can be tweaked to deal with different threats.

On the other hand, remediation activities are specific. They are the result of in-depth assessments of the organization’s vulnerabilities, with the help of penetration testing and other security testing tools. Efforts to remediate vulnerabilities are designed almost exclusively to eradicate risk, and security teams must analyze the cost-benefit of these actions.

Risk Mitigation and Remediation in GRC

ZenGRC is a risk management, compliance, and governance solution that can help you build, monitor, and assess your risk management framework and remediation activities.

It can help you comply with various standards, such as GDPR, CCPA, HIPAA, and others, by detecting vulnerabilities, reviewing policies and practices, and assuring tracking and other measures work correctly.

ZenGRC is the ideal option for resolving compliance concerns and effectively managing your compliance strategy over time with workflows, document management, dynamic visualization materials, and risk assessment tools.

Schedule a demo to discover how ZenGRC can assist your company in improving information security risk and compliance.

Regulatory Compliance in Healthcare

· ·

Health care compliance

Every day, healthcare providers must perform the nerve-racking task of complying with increasing healthcare regulations. According to one report, the healthcare industry spends nearly $39 billion every year on the administrative burdens of regulatory compliance.

Today, healthcare organizations must comply with more than 600 regulatory requirements. These compliance laws encompass numerous occupational sectors, from pharmacies and insurance companies to cloud service providers.

This article aims to provide a solid starting point for establishing a robust regulatory compliance program. It offers guidance and insights to healthcare professionals looking to ensure adherence to the myriad regulations that shape their industry.

What Does ‘Regulatory Compliance’ Mean?

Regulatory compliance is the set of processes and procedures that support an organization’s adherence to the regulations and other requirements wherever the organization operates. This includes national or state laws, industry regulations, or contractual obligations.

Although many healthcare facilities may consider healthcare compliance requirements to hinder success, an effective program to comply with regulatory obligations can be a competitive advantage.

What Is Regulatory Compliance in Healthcare?

Compliance obligations specific to healthcare can include a broad spectrum of practices. However, most healthcare compliance issues relate to patient safety, the privacy of patient information, and government reimbursement for healthcare expenditures. In the most significant sense, regulatory compliance in healthcare is about providing high-quality patient care.

Healthcare professionals routinely compile and access electronic health records. Therefore, maintaining patient privacy and results as data are collected has become vital to the industry. Failure to protect healthcare data — failing to meet compliance obligations — can result in costly monetary penalties from regulators.

For example, as of August 2021, the U.S. Department of Health & Human Services had imposed monetary penalties in more than 100 cases totaling $135.3 million. Given that financial threat, understanding your compliance obligations and meeting those obligations can save millions of dollars in penalties (on top of the value of patient trust).

What are the three main areas of healthcare compliance?

In the highly regulated world of healthcare, regulatory compliance is the foundation upon which patient care and ethical practice are built. To better understand this intricate landscape, let’s delve into the three critical areas of healthcare compliance. 

These pillars are the foundation for ensuring the delivery of quality healthcare while adhering to compliance regulations and ethical standards. 

  • Patient Safety: This area is a forefront of healthcare compliance efforts. It involves measures to prevent medical errors, ensure infection control, and safeguard patients from harm during their healthcare journey.
  • Patient Privacy and Data Security: Protecting patient information is paramount. Compliance in this area revolves around maintaining patient privacy and data security, strictly adhering to regulations like HIPAA to safeguard sensitive health information.
  • Billing and Coding Compliance: Accurate and ethical billing and coding practices are vital for healthcare providers. This compliance aspect ensures that billing is done correctly, adhering to coding systems and anti-fraud laws.

Regulatory Requirements for Healthcare Organizations

Healthcare is more heavily regulated than almost any other industry. Below, we explain five significant laws that govern healthcare compliance in the United States.

1. Health Insurance Portability and Accountability Act (HIPAA)

HIPAA compliance comprises the rules on privacy and security, breach notification, and enforcement for protecting healthcare system information.

The HIPAA Privacy Rule applies to all healthcare providers and entails electronic, paper, and oral media. It grants patients the right to see their Protected Health Information (PHI) and requires disclosure of how that information is used. Healthcare facilities must also update security measures to safeguard medical records in a changing environment. 

2. Anti-Kickback Statute and Stark Law

The Anti-Kickback Statute and the Stark Law are designed to keep medical treatment decisions free from the influence of hidden financial arrangements between healthcare workers and hospitals. These laws are essential because improper financial incentives can lead to inappropriate medical decision-making and higher Medicare and Medicaid services expenses.

3. Patient Safety and Quality Improvement Act (PSQIA)

The law established new Patient Safety Organizations (PSOs) to prevent the data from being used in lawsuits against the PSO.

The PSO acts as the principal vehicle to gather data about adverse medical events and assist providers in implementing practices to reduce adverse events and build safety cultures while increasing the quality of care.

4. The Health Information Technology for Economic and Clinical Health (HITECH) Act

The HITECH Act reinforces two significant initiatives: promoting the proper use of electronic health records and cybersecurity measures and further supporting HIPAA enforcement.

Before the HITECH Act, only a few hospitals adopted electronic medical record systems, leading to inefficiencies in public health. HITECH was meant to encourage more use of electronic medical records while preserving the privacy and security of healthcare data.

5. Affordable Care Act (ACA)

As the name says, the ACA aims to extend health and insurance coverage to more people and encourage innovative medical care delivery methods to minimize healthcare costs.

The ACA created a Health Insurance Marketplace, stopping insurance organizations from refusing coverage because of pre-existing conditions.

Common Challenges in Regulatory Compliance in Healthcare

Ensuring healthcare regulatory compliance is critical to providing safe and effective patient care. However, healthcare organizations often need help in meeting the evolving regulatory requirements. Here are some common challenges:

Ever-Changing Regulations

Healthcare regulations frequently evolve at both federal and state levels. Staying current with compliance updates can take time and effort for healthcare providers. For instance, recent updates include the introduction of the CMS Interoperability and Patient Access Rule, which focuses on improving patient data access and sharing through electronic health records.

HIPAA & Data Breaches

Data breaches, especially in the digital age, threaten the healthcare sector significantly. State-specific laws add complexity, differing in how they define personal information, mandate breach notifications, and impose penalties on non-compliance. Protecting patient data remains an overarching priority.

Interoperability and Data Exchange

The seamless sharing of patient data among healthcare systems remains a significant challenge. The 21st Century Cures Act and the ONC’s Information Blocking Rule aim to facilitate data interoperability, mandating that healthcare providers adopt technologies that allow for easier exchange of patient information. Compliance with these updates is crucial to enhance patient care coordination.

False Claims & Whistleblower Suits

Healthcare’s battle against false claims and whistleblower actions, often under the purview of the False Claims Act, is ongoing. This act encompasses fraud in federally funded programs, including Medicaid and Medicare. Recent legislative changes empower whistleblowers, making it easier for them to initiate claims against healthcare organizations.

Make Compliance Part of Your DNA With ZenGRC

At ZenGRC, we know that having a solid compliance program that adheres to HIPAA and other regulations is part of your commitment to quality patient care. For that reason, we built ZenGRC to help you stay on top of the compliance requirements.

If you are overwhelmed with managing health information and compliance in spreadsheets, ZenGRC is the solution for a more efficient compliance process. Schedule a demo now, and we will show you how ZenGRC can simplify your processes, build more effective compliance, and drive your business forward.

Risk Control Measures That Work

· ·

Conducting a regular risk assessment is an integral part of any organization’s overall risk management plan. It’s sometimes even a legal requirement, depending on your industry, contractual obligations, or the number of people you employ.

Risk assessments also help you perform a risk analysis to evaluate the risks associated with a hazard after the hazard is identified. Risk controls can then be put in place to eliminate, mitigate, or reduce the potential harm of threats.

A security risk assessment (SRA) evaluates risks in your company, technology, and processes to assure that controls are in place to protect against security threats. Depending on the industry or use case, security risk assessments might also be called risk assessments, IT infrastructure risk assessments, security risk audits, and security audits.

Various compliance standards require security risk assessments, including PCI-DSS (Payment Card Industry Data Security Standards), ISO 27001 (International Standards Organization), and HIPAA (Health Insurance Portability and Accountability Act).

What Is Risk Control?

Risk control, a crucial part of the risk management process, is a business strategy that enables organizations to assess potential losses and then take action to reduce or eliminate those identified risks. Its objective is to identify and assess risk, and to prepare a company for any threats that could interfere with corporate operations or the organization’s ability to pursue financial and other objectives.

Risk control uses the findings of risk assessments – specifically, the potential risk factors in an organization’s operations and management practices that assessments bring to light. These factors include weak financial controls, technical and non-technical controls, and other issues that could harm the business.

How Are Risk Control and Risk Management Different?

Risk control and risk management are distinct but related concepts. Risk management refers to all the steps for identifying, preventing, and mitigating risks; risk control is one of the tools under the risk management umbrella. Risk management is the methodology for addressing and assessing vulnerabilities; risk control is the strategy of attempting to prevent them.

Specific risk control strategies will vary from company to company, depending on your needs and policies. Examples of controls may include testing, periodic internal audits or inspections, and even your training program. Your risk assessment will determine what risks are present in your company and what controls need to be placed to protect your assets.

What Is the Risk Assessment Process?

A risk assessment is a systematic process of identifying threats or hazards in your work environment, evaluating the potential severity of those risks, and then implementing reasonable control measures to mitigate or remediate the risks.

More simply, a risk assessment is essentially a thorough examination of your organization. Risk assessments and risk analysis are often used interchangeably, but risk analysis is a specific step within an assessment process.

Typically, risk assessments involve this five-step process:

  1. Identify all potential threats.
  2. Determine the potential impacts of each threat.
  3. Perform risk analysis and establish suitable precautions.
  4. Implement security control measures and record your findings.
  5. Review and re-assess when necessary.

Why Are Risk Assessments Important?

Thorough risk assessments are the fundamental management tool in risk management; they help you to evaluate the effectiveness of your existing security standards. This allows you to prioritize high-risk areas and implement new or additional controls to keep remaining risk levels low.

For many companies, specific legal requirements will dictate which type of risk assessment you should conduct. For example, organizations holding or using hazardous substances must complete a Control of Substances Hazardous to Health Assessment (COSHH). Other risk assessments include fire risk assessments, manual handling risk assessments, Display Screen Equipment (DSE) risk assessments, and security risk assessments.

What Is a Security Risk Assessment?

A security risk assessment is a specific type of risk assessment that focuses on information security risks posed by the applications and technologies an organization uses or develops.

In cybersecurity, we use the terms “threat” and “vulnerability” to refer to security weaknesses, and their definitions are more specific to cybersecurity risk management:

  • A threat typically involves a malicious act – malware, a virus, a denial-of-service attack, or a data breach – that aims to destroy data, inflict harm, or disrupt operations.
  • A vulnerability is a weakness in a system that leaves it open to threats or potential attacks.

In cybersecurity, risk represents the potential harm that vulnerabilities could cause if successfully exploited.

Completing a security risk assessment is crucial not only for cybersecurity but also for regulatory compliance. For example, the Sarbanes-Oxley Act (SOX) and HIPAA require periodic security risk assessments.

How to Conduct a Cybersecurity Risk Assessment

Cybersecurity risk assessment models typically consist of the following steps:

  1. Identify critical technology assets and the sensitive data those devices create, store, or transmit.
  2. Create a risk profile for each asset.
  3. Assess the risks for all critical assets.
  4. Map all the interconnections of critical assets.
  5. Prioritize which assets to address.
  6. Develop a mitigation plan with control measures for each risk.
  7. Implement those measures to prevent or minimize vulnerabilities.
  8. Monitor risks, threats, and vulnerabilities on an ongoing basis.

Security risk assessments are an essential component of enterprise risk management. They will help your organization establish more effective control measures to prevent cybersecurity threats from coming to fruition.

What Are Risk Assessment Control Measures?

During your risk assessment, you may ask yourself, “How exactly will I control the risks once they’re identified?” After all, a risk assessment is just that: an assessment. It’s up to you to assess the risk and decide whether it’s safe to proceed.

After identifying any hazards, you’ll need to implement control measures to reduce risk and prevent harm. A thorough risk assessment will check your existing precautions and then help you decide whether or not you need to do more to prevent damage.

Control measures usually include one or a mix of the following:

  • Removal
  • Rules
  • Procedures
  • Equipment
  • Exclusions
  • Training
  • Supervision
  • Limitations
  • Preventions

Choosing the best controls for your business will depend on the hazards or threats your organization faces and their risks. For instance, if you require that your employees participate in a cybersecurity awareness training program, that’s a control measure. Another control measure is telling your team to wear safety goggles when performing a specific task.

On paper, the best control measure is elimination: removing the risk from your environment. In practice, it’s not possible to eliminate every threat. When it’s impossible to eliminate a risk, using the hierarchy of risk control measures can help you decide the best control measures for any risk assessment your organization might need. For example, implementing anti-phishing tools will reduce some of the dangers cyberattacks pose without having to eliminate the use of email.)

Practical Risk Assessment Control Measures

In an ideal world, elimination would work in every situation. There are, however, other risk assessment control measures you can implement instead of, or in addition to, elimination. Together, these control measures make up the Hierarchy of Controls.

Elimination

In cybersecurity, elimination might involve removing an application from company-wide use, perhaps because it poses a security risk to your sensitive information.

Substitution

Where elimination is not possible, substitution is often the next best control measure available. In workplace safety, consider substituting a hazardous chemical with a safer alternative, replacing ladders with tower scaffolds, or exchanging old worn-out equipment with newer technology.

Substitution in cybersecurity could mean investing in new hardware for your organization, finding a more secure application suited to your needs, or migrating to more secure storage options like the cloud.

Engineering Controls

Engineering controls for cybersecurity could include implementing multi-factor authentication for all users, access control, enforcing a stringent password policy for employees, or cybersecurity tools such as antivirus software and firewalls.

Administrative Controls

Cybersecurity administrative control measures might include scoring requirements for cybersecurity awareness training assessments, documented business processes, company-wide phishing tests, or disciplinary actions for non-compliance with security policies.

Personal Protective Equipment

Finally, personal protective equipment (PPE) is the last line of defense against workplace health hazards. These are valuable safeguards giving the wearer added protection for any remaining level of risk or if other controls fail. Examples of PPE include ear mufflers when using noisy equipment, harnesses, lanyards when working at height, or hard hats when falling tools or materials are overhead.

For your organization’s cybersecurity, think of PPE as the IT security tools and software you use to protect your organization’s information systems and information assets from risk. Good risk mitigation software can do just that: minimize your risks and make risk assessments and the risk management process more streamlined and less stressful for you.

Streamline Cyber Risk Management with ZenGRC

You must conduct regular risk assessments as part of your organization’s overall risk management program. Identifying even the most obvious workplace hazards and assigning the level of risk is difficult enough. Adding cybersecurity to the mix and risk management can quickly become overwhelming.

A good risk management program should change in response to the risks your organization faces, and cybersecurity risk management is no different. Fortunately, risk mitigation software solutions are available.

ZenGRC can help you implement, manage, and monitor your risk management framework and remediation tasks to improve your security posture and business operations.

ZenGRC enables task assignment and prioritization so that all stakeholders know what to do and when to do it. And its user-friendly dashboards make it easy to review “To Do” and “Completed Tasks” lists. And when audit time rolls around, ZenGRC’s “single source of truth” audit-trail document repository lets you quickly access the evidence you need.

ZenGRC is equipped to help you mitigate risks and streamline risk management during the entire lifecycle of all your relevant cybersecurity risk management frameworks, including PCI DSS, ISO, SOX, HIPAA, and more. Templates and tools help perform assessments, prioritize high-risk areas, and document security measures.

Contact our team for a demo today and get started on the path to worry-free risk management – the Zen way.

Internal Control Practices to Prevent Inventory Loss

· ·

inventory loss

In 2020, more than 15 percent of U.S. retailers experienced inventory shrinkage — that is, loss of physical inventory — of 3 percent or more. According to the 2019 National Retail Security Survey, shrinkage cost the U.S. retail industry $50.6 billion that year.

A common cause of inventory shrinkage is larceny, defined as the taking of property without the use of force — indicating an inside job. One estimate from 2017 found that 33 percent of retail inventory shrinkage resulted from internal or employee theft.

Regardless of the cause, inventory shrinkage is problematic because lost inventory is corporate money gone down the drain: funds spent to acquire an asset, which then disappears so it can’t be sold.

Hence it’s vital to prevent (or at least reduce) inventory shrinkage. To do that, robust internal controls are critical.

The Impact of Inventory Shrinkage

Inventory shrinkage is a loss of inventory. It is the difference between the inventory recorded on a company’s balance sheet and the actual inventory stored and available for use.

Many factors can lead to such losses, including:

  • Vendor fraud or error;
  • Shoplifting or external theft;
  • Employee theft;
  • Administrative errors or improper documentation;
  • Damage.

Shrinkage cuts into profits. It is an especially serious risk in the retail industry and among small businesses that have to sell a large amount of products to make a profit.

To make up for physical inventory loss and the resulting decrease in profits, companies may need to increase the selling price of their products. That, however, can alienate customers and further exacerbate the harm to a company’s bottom line.

Shrinkage can also increase costs in other areas, such as investments in security technologies and personnel. These costs also hit the bottom line and may result in increased prices for customers.

Internal Controls for Inventory Shrinkage and Inventory Loss

Inventory shrinkage is unavoidable. The problem, however, can be reduced to an acceptable level where it doesn’t materially harm profits. For this, it’s crucial to identify absent or weak internal controls and implement robust internal controls to protect your business.

Segregate Duties

Segregation of duties means that different people are in charge of ordering, recording, reconciling, and safeguarding inventory. Dividing responsibilities in that way can minimize the chance of a particular employee stealing inventory stocks and covering up the theft.

Segregation of duties also assures that one employee’s actions are verified and approved by another. One employee may retrieve the stock for processing, while another counts the inventory and updates the records. It’s difficult for either one of them to steal inventory unless the two employees are scheming together.

Regular Inventory Counts

New inventory from a vendor must be immediately counted and reconciled with the packing list to confirm that there are no mismatches, clerical errors, or vendor fraud. If the amount is incorrect, the vendor must be notified immediately. It’s also essential to do a regular physical count of inventory levels to detect and address errors and fraudulent activities quickly.

Calculate and Compare Shrinkage Rates

In 2018, the median shrinkage rate in retail was 1 percent. Generally, an acceptable level of inventory shrinkage is less than 1 percent, but it depends on your industry. The rate itself can be calculated as follows:

Shrinkage Rate = (Recorded Inventory – Actual Inventory) / Recorded Inventory

Periodically calculating the shrinkage rate is an excellent way to monitor inventory and compare shrinkage rates throughout different periods. An unexpected increase in your shrinkage rate indicates that you need to investigate possible causes and take a look at your controls.

Rotate Duties and Job Assignments

Rotating job assignments is one way to prevent employees from engaging in long-term schemes to steal inventory. If one employee is stealing, the next employee assigned to their role may discover the theft and report it to the organization.

Mandatory vacations can also discourage theft because many dishonest schemes require the employee to attend to them daily. The scam may collapse or be detected if the employee is unable to execute it personally.

Implement Strong Security

Strong physical security measures can deter inventory shrinkage, particularly due to theft. For example, video cameras provide surveillance of inventory receiving areas and function as a visual recording system.

Other security measures to control inventory shrinkage include:

  • Restrict deliveries to loading docks;
  • Limit access to interior areas such as storage areas to authorized personnel only;
  • Segregate high-demand or expensive items in a separate storage area with more robust fencing, strong locks, and controlled access;
  • Establish a system to document and track any stock taken out of the storage area to another area.

Leverage Security Devices and Technologies

Item tracking devices, such as ink-blot tags and magnetic scanners, can deter and detect both internal and external theft. Barcode scanners make it difficult for internal users to steal inventory and alter company records to cover up the theft.

Digital information resources should also be secured with strong passwords or multi-factor authentication (MFA) to prevent theft and records alteration. Access should only be assigned to authorized personnel. Administrative or super-user access should be limited to assure only specific users can modify records for shipping, sales, purchasing, and inventory counts.

Set Up a Confidential Fraud Reporting Hotline

According to the 2018 Global Study on Occupational Fraud and Abuse by the Association of Certified Fraud Examiners (ACFE), more than 50 percent of corruption and fraud cases in organizations were detected by a tip.

Encouraging employees to participate in fraud detection and prevention can go a long way towards minimizing shrinkage. A confidential fraud reporting hotline allows employees safely to report any possible shrinkage events, such as theft, damage, clerical errors, or vendor fraud.

Make Shrinkage Prevention an Enterprise-Wide Initiative

Employee participation cannot happen without the support of the top leadership. The organization’s leaders, managers, and board of directors must demonstrate honesty, accountability, and ethical behavior from the top.

Leadership must demonstrate that good behavior (such as reporting larceny) will be rewarded; and undesirable behavior (such as participating in theft) will be punished. It’s also essential to set zero-tolerance company policies and adhere to them. Inconsistency will result in honest employees feeling demoralized, unappreciated, and potentially afraid of retaliation.

Set Par Levels and Reorder Points

Expired goods can result in inventory shrinkage too. To avoid shrinkage from expired goods, you must manage inventory turnover, rotate the stock, and prevent overstock.

A par level, or safety stock, is the amount of inventory that must be maintained between receiving shipments to meet customer demand. Setting the proper par levels can help the organization avoid stockout, overstock, and keep an eye on expiration dates.

Establish a Robust Documentation Process

It’s crucial that inventory is trackable and auditable. For this, timely, relevant, and up-to-date documentation is vital. All these documents must be part of the control environment to provide an audit trail and control inventory shrinkage:

  • Purchase requisition form. A written request from an employee to the purchasing department to purchase a particular item.
  • Purchase order. Sent by the purchasing department to a supplier requesting that the item be shipped.
  • Invoice. Sent by the supplier to the purchasing party requesting payment for items shipped.
  • Receiving report. Prepared by the receiving department, specifying the quantities and descriptions of items received from a supplier.

Adjust Accounting Records

All inventory-related documents should be regularly checked against accounting department records to confirm that there are no discrepancies (deliberate or accidental) between the inventory recorded and the inventory actually available.

If there is shrinkage, inventory losses should be recorded by increasing the shrinkage expense account and decreasing the inventory account. Accurate inventory shrinkage journal entries in the accounting system can help pinpoint errors and identify the steps required to address them.

Automate Inventory Record Keeping

Automating inventory and reporting is the best way for business owners to prevent inaccurate inventory records, malicious dishonesty, and theft. For this, comprehensive inventory management systems are available.

Such software can track the progress of inventory stocks, from the time it is acquired to when it moves into finished goods inventory. The system provides real-time and complete updates on inventory status and possible red flags.

Protect Your Inventory Better with Support from ZenGRC

You may not be able to eliminate shrinkage completely, but you can minimize it and protect your bottom line. This starts with the safeguards we have discussed here, as well as greater visibility into your risk environment.

Explore ZenGRC to get deeper, real-time insights into the risks affecting your inventory. Identify relevant risks across your business with the single, integrated experience offered by ZenGRC. See where risk is changing, stay ahead of evolving threats, and mitigate business exposure.

To see how ZenGRC can fit into your business, schedule a demo to get started.