Businesses face risk every day. It’s a part of getting business done, especially in our digital world. Managing risk is critical, and that process starts with a risk assessment. If you don’t assess your risks, they cannot be properly managed, and your business is left exposed to threats. A successful risk assessment process should align with your business goals and help you cost-effectively reduce risks.
Risk assessments can be performed on any application, function, or process within your organization. But no organization can realistically perform a risk assessment on everything. That’s why the first step is to develop an operational framework that fits the size, scope, and complexity of your organization. This involves identifying internal and external systems that are either critical to your operations, and / or that process, store, or transmit legally protected or sensitive data (such as financial, healthcare, or credit card). Then you can create a risk assessment schedule based on criticality and information sensitivity. The results give you a practical (and cost-effective) plan to protect assets and still maintain a balance of productivity and operational effectiveness.
Once you determine your framework, you’re ready to embark on your individual risk assessments. When going through the process it’s important to keep in mind that there are different categories of risk that may affect your organization. Here’s what they are.
Strategic risk is related to adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the institution’s strategic goals.
Reputational risk is related to negative public opinion.
Operational risk is related to loss resulting from inadequate or failed internal processes, people, and systems, or from external events.
Transactional risk is related to problems with service or product delivery.
Compliance risk is related to violations of laws, rules, or regulations, or from noncompliance with internal policies or procedures or business standards.
Now let’s look at the basic steps of a risk assessment.
#1. Characterize the System (Process, Function, or Application)
Characterizing the system will help you determine the viable threats. This should include (among other factors):
What is it?
What kind of data does it use?
Who is the vendor?
What are the internal and external interfaces that may be present?
Who uses the system?
What is the data flow?
Where does the information go?
#2. Identify Threats
There are some basic threats that are going to be in every risk assessment, however depending on the system, additional threats could be included. Common threat types include:
Unauthorized access (malicious or accidental). This could be from a direct hacking attack / compromise, malware infection, or internal threat.
Misuse of information (or privilege) by an authorized user. This could be the result of an unapproved use of data or changes made without approval.
Data leakage or unintentional exposure of information. This includes permitting the use of unencrypted USB and / or CD-ROM without restriction; deficient paper retention and destruction practices; transmitting Non-Public Personal Information (NPPI) over unsecured channels; or accidentally sending sensitive information to the wrong recipient.
Loss of data. This can be the result of poor replication and back-up processes.
Disruption of service or productivity.
#3. Determine Inherent Risk & Impact
This step is done without considering your control environment. Factoring in how you characterized the system, you determine the impact to your organization if the threat was exercised. Examples of impact ratings are:
High – Impact could be substantial.
Medium – Impact would be damaging, but recoverable, and / or is inconvenient.
Low – Impact would be minimal or non-existent.
#4. Analyze the Control Environment
You typically need to look at several categories of information to adequately assess your control environment. Ultimately, you want to identify threat prevention, mitigation, detection, or compensating controls and their relationship to identified threats. A few examples include:
Organizational Risk Management Controls
User Provisioning Controls
User Authentication Controls
Infrastructure Data Protection Controls
Data Center Physical & Environmental Security Controls
Continuity of Operations Controls
Control assessment categories may be defined as:
Satisfactory – Meets control objective criteria, policy, or regulatory requirement.
Satisfactory with Recommendations – Meets control objective criteria, policy, or regulatory requirement with observations for additional enhancements to existing policies, procedures, or documentation.
Needs Improvement – Partially meets control objective criteria, policy, or regulatory requirement.
Inadequate – Does not meet control objective criteria, policy, or regulatory requirement.
#5. Determine a Likelihood Rating
Now, you need to determine the likelihood of the given exploit taking into account the control environment that your organization has in place. Examples of likelihood ratings are:
High – The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.
Medium – The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.
Low – The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.
#6. Calculate your Risk Rating
Even though there is a ton of information and work that goes into determining your risk rating, it all comes down to a simple equation:
Impact (if exploited) * Likelihood (of exploit in the assessed control environment) = Risk Rating
Some examples of risk ratings are:
Severe – A significant and urgent threat to the organization exists and risk reduction remediation should be immediate.
Elevated – A viable threat to the organization exists, and risk reduction remediation should be completed in a reasonable period of time.
Low – Threats are normal and generally acceptable, but may still have some impact to the organization. Implementing additional security enhancements may provide further defense against potential or currently unforeseen threats.
Using the values for impact and likelihood in the NIST Special Publication 800-30, here’s what a completed Residual Risk Rating Assessment could look like.
Unauthorized Access (Malicious or Accidental)
Misuse of Information by Authorized Users
Data Leakage / Unintentional Exposure of Customer Information
Loss of Data
Disruption of Service or Productivity
Regular risk assessments are a fundamental part any risk management process because they help you arrive at an acceptable level of risk while drawing attention to any required control measures. The risk assessment process is continual, and should be reviewed regularly to ensure your findings are still relevant.
Learn more about Risk Management in How to Define Cybersecurity Risk and What is Risk Management?
We can help you establish acceptable risk for your business goals
RISK ASSESSMENT STEPS
2500 Plaza 5 25th fl Jersey City NJ 07311 phone 732-516-1648 fax 732-516-9778
Copyright © Daniel Cullinane CPA.
Daniel Cullinane CPA
25 Plaza 5 25th fl Jersey City NJ phone 732-516-1648 fax 732-516-9778