If your IT stakeholders want a stronger grip on cybersecurity and compliance risk, performing an information security risk assessment is where you begin. This post explores the methodology one should use for that risk assessment, including the different approaches to building a strong information security management program.
How Do You Conduct an Information Security Risk Assessment?
When conducting an information security risk assessment, you first need to identify and understand all the risk-prone IT assets in your enterprise. This step allows you to analyze the weaknesses of each asset in detail, which then lets you understand how to remediate them. These are separate activities in an assessment, and are respectively known as risk assessment and risk analysis.
- A risk assessment identifies and catalogs all the potential risks to your organization’s ability to do business.
- Risk analysis then examines each identified risk and assigns a score to it, using one of two scoring formulas: quantitative or qualitative.
Let’s take a closer look at both methods, and how risk managers use each one to understand information risk and then develop strong compliance programs and internal controls.
Qualitative Risk Analysis
A qualitative risk analysis evaluates the danger of a risk based on its possible outcomes and consequences, and categorizes risks by whether they are source-based or effect-based.
A source-based risk is one that arises from internal vulnerabilities within an organization’s IT infrastructure. Examples include flawed access controls, ineffective firewall configurations, or inactive password restrictions. Effect-based risks, in contrast, occur as a result of an external factor that is introduced to the organization and creates vulnerabilities, such as a new privacy regulation.
Qualitative risk assessment is subjective and based on employees’ judgments and experience. Each risk might be ranked with adjectives such as “low,” “medium,” or “severe,” for example.
Quantitative Risk Analysis
Quantitative risk analysis assigns a numerical value to each risk using algorithms and actuarial information.
A quantitative approach helps risk managers to determine the level of risk via a risk assessment matrix on a scale from low to high risk. These risks might be ranked along the lines of “10 percent probability” or “85 percent likely,” for example.
Using the risk matrix, senior management can make informed decisions about the IT security controls that might be necessary.
IT Risk Assessment Tools
Both qualitative and quantitative analysis support the risk management process because they illuminate your business’s risk profile from different perspectives.
Assessments like those described above help the security team to build a risk profile comparing an IT asset’s value against the potential losses a risk might bring about. That insight also helps risk managers understand which mitigation steps and security policies are effective, and which ones aren’t.
Now that you have a good understanding of the types of risk analysis, let’s move on to the tools that can help you perform a risk assessment.
ISO 27005
ISO 27005 is a standard from the International Organization for Standardization that provides a framework for risk management, but not a specific approach. In other words, it outlines what the risk assessment needs to include, but provides no specific steps to take.
ISO 27005 provides guidelines for defining how risk management relates to your business processes. That, in turn, provides the basis for creating the actual criteria and deliverables for information security risk management. Criteria might include:
- Identifying the impact of specific risks
- Estimating an acceptable level of risk
- Determining what the organization’s risk management objectives should be
ISO 27005 isn’t an approach to determine risk tolerance per se; senior executives or the board of directors should do that. Rather, ISO 27005 is important for risk management because it outlines all areas and risks to be reviewed.
NIST SP 800-30
The National Institute of Standards and Technology published NIST SP 800-30, which defines nine steps in the risk assessment process and explores related subjects such as risk evaluation and mitigation.
The nine steps are:
- System characterization
- Threat identification
- Vulnerability assessments
- Control analysis
- Likelihood determination
- Impact analysis
- Risk determination
- Control recommendations
- Results documentation
Unlike other risk assessment guidelines, NIST SP 800-30 lays out a risk management framework for carrying out the three parts of risk assessment: preparing for the assessment, conducting it, and maintaining the risk assessment report after completion.
NIST SP 800-30 also explores how other organizational risk management processes complement and inform each other. It could also be a complementary approach to other industry data security standards and data privacy regulations, such as PCI DSS (for credit card data) or HIPAA (for personal health information).
What Is a Security Risk Assessment Checklist?
Regardless of the framework you use for security risk assessment, you still need an approach to identify security risks and put an action plan in place to mitigate these risks.
By using a comprehensive risk assessment checklist, you would be able to assure that all IT teams follow a standardized process. Such a checklist needs to be tailored to the unique needs of your organization and the type of assets managed within your information systems. To start with, it needs to follow this baseline checklist structure:
- Compile a catalog of all IT assets.
- Identify the risks from a security, cyber security, and privacy perspective.
- Analyze existing internal controls to identify vulnerabilities and potential threats.
- Assess and prioritize the impact of these threats to implement control recommendations and safeguards.
- Repeat the checklist actions at regular intervals.
For a detailed walkthrough of these steps in your checklist, we compiled a comprehensive compliance risk assessment checklist for your reference.
Managing Risk with ZenGRC
When it comes to IT risk assessment (and cybersecurity risk assessment in particular) to prepare adequately against cyber attacks, security incidents, and sensitive data breaches, you can’t leave anything to chance. Errors and omissions from manual processes and inexperienced hands can be costly and detrimental to your business reputation.
That’s why we recommend the ZenGRC risk management software. ZenGRC’s user-friendly dashboards show you what your security posture looks like and which risks need mitigating from security threats, all while tracking workflows and storing the documents needed at audit time.
Schedule a demo to witness ZenGRC in action.