Risk is a business concept, in that anything that threatens an organization’s ability to achieve its financial goals is considered a business risk. When it comes to IT risk, many organizations rely on compliance regulations and standards to enforce security and reduce cyber-risks.
However, the scope of these regulations and standards are often narrowly focused to specific aspects of the business or type of data handled, and don’t provide a comprehensive evaluation of the state of security surrounding the entire IT infrastructure.
With an ever-changing threat landscape, an increase in the number of cyber-attacks, and sophistication of new threats, it’s critical that organizations methodically evaluate IT risk with enterprise-wide assessments and don’t rely solely on a check-the-box compliance strategy to mitigate threats and vulnerabilities.
The COVID-19 pandemic is a prime example of a risk that took most companies by surprise; and one where compliance requirements did little to help mitigate the rise in security vulnerabilities.
COVID-19 has:
The need for enterprise-wide IT risk assessment is especially clear during times of disruption. Organizations must be diligent in identifying, evaluating, and mitigating technology risk to protect confidentiality, integrity, and availability of IT assets.
For more details, please see a Cybersecurity Checklist for Remote Work.
An IT risk assessment aims to provide a comprehensive evaluation of an organization to identify potential threats and countermeasures to reduce the risk. No organization can completely eliminate risk, so an IT risk assessment helps determine which vulnerabilities present the most risk to the organization.
Some benefits of conducting an IT risk assessment include:
Three factors play into risk determination:
The first step of the risk assessment process is to understand and identify all assets within the organization; this includes hardware, software, and data. You’ll also need to classify each asset. For example, if a system holds sensitive or proprietary information, it should be classified as high-risk.
The next step is to identify threats to an asset, such as:
Then, identify the vulnerabilities to the asset. A threat can exploit a vulnerability to breach security and harm your organization. Vulnerabilities can be identified through vulnerability scanning, security assessments, the NIST vulnerability database, vendor data, and the Cybersecurity and Infrastructure Security Agency to name several examples.
Now, analyze the controls in place to minimize or mitigate the probability a threat will exploit a vulnerability in the system.
Controls can be implemented through technical means—such as antivirus, encryption, intrusion detection mechanisms, and identification and authentication systems. Examples of nontechnical controls include policies and procedures, access reviews, and physical and environmental monitoring.
Next, assess the likelihood of a vulnerability being exploited and the impact it would have on the asset. The type of vulnerability, the capability and motivation of the threat source, and the existence and effectiveness of the controls all need to be accounted for to determine the risk level.
Once the level of risk has been determined and documented for various assets, action plans for risk mitigation need to be developed.
The final step in the risk assessment process is to develop a risk assessment register to support management in making appropriate decisions on budget, policies, and procedures. For each threat, the register should describe the corresponding vulnerabilities, the assets at risk, the impact on the IT environment, the likelihood of occurrence, and the control recommendations.
There are a number of IT-risk register templates and risk-assessment frameworks available including NIST SP 800-39, ISACA Risk IT Framework, and HITRUST Risk Management Framework. Each organization needs to determine the best fit for its needs based on its current enterprise risk management approach.
There are several common pitfalls that could weaken the overall effectiveness of an IT risk assessment.
An IT risk assessment shouldn’t be treated as a stand-alone evaluation, separate from enterprise-wide risk management. Technology plays a key role in achieving an organization’s strategic initiatives, and IT risks should be evaluated with consideration to the business impact and aligned with the organization’s risk appetite. IT decisions and investments made in a vacuum can be counterproductive to business goals.
The second pitfall is performing the assessment once or infrequently.
Given the frequent changes in technology and increased frequency and sophistication of attacks, new threats and exposures should be evaluated annually, at least, or whenever there are major changes made to technology systems and operations.
Some organizations fail to create a clear roadmap and strategy to address findings from the risk assessment. This leads to lack of senior management support and increased exposure as threats remain unmitigated.
To combat this, focus on business reasons for each improvement implementation to help management understand the need for risk mitigation.
Organizations most prepared for risks are those continually evaluating and evolving their approach and strategy. If there are any benefits to be gained from the pandemic, it’s increased awareness of the importance of being prepared for unexpected risks and why compliance isn’t enough to keep organizations secure.
If you have any questions regarding your existing IT risk and compliance program and how to make improvements, please contact your Moss Adams professional.