Any organization that uses information technology should conduct cybersecurity risk assessments. Every organization, however, faces a unique set of security risks, and needs to take its own approach to solving them.
A cybersecurity assessment examines your organization’s security controls and how they stack up against known vulnerabilities. Similar to a cyber risk assessment, another part of the risk management process, a cybersecurity assessment considers threat-based approaches to evaluate your organization’s cyber resilience. How effectively can your company respond to a breach, and keep your critical business processes working with little or no interruption?
Regulators and standard-setting bodies recognize that different industries need to take different approaches to guard their information systems. So when performing your cybersecurity assessment, it’s crucial to compare your operations against industry norms (and regulations) that are relevant to you.
The first step: Know your risks
A cyber risk assessment is your first step toward developing a mature cybersecurity program. It shows you the cyber risks you have.
Cyber risk is the likelihood that your organization will suffer disruptions to data, finances, or business operations online. Typically, cyber risks are associated with events that could result in a data breach. Examples include ransomware, data leaks, phishing, malware, insider threats, and cyberattacks.
Cyber risk assessments are defined by the National Institute of Standards and Technology (NIST) as “risk assessments [that] are used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the nation, resulting from the operation and use of information systems.”
The purpose of a cyber risk assessment is to help inform stakeholders and decision-makers about the risks they face, as well as to support proper risk responses. Cyber risk assessments also provide an executive summary to help stakeholders make informed decisions about security.
The type of data most at risk for cyberattacks will vary depending on your industry. Usually it will include personally identifiable information (PII), customer data, employee data, intellectual property, third- and fourth-party vendors, product quality and safety, contract terms and pricing, strategic planning, and financial data.
Without a cyber risk assessment to inform your cybersecurity choices, your organization could waste time, effort, and resources. While it’s important to defend against events that are likely to occur, it’s just as important to avoid preparing for events that are unlikely to occur or won’t have much effect on your organization if they do.
That’s why assessing cyber risk according to industry is critical when determining whether or not your organization is properly prepared to defend against a range of threats.
How do you assess cyber risk by industry?
The first step toward conducting a cyber risk assessment that considers the factors unique to your industry is to comply with the frameworks applicable to your sector. Cyber risk assessments are important not just for cybersecurity, but also for regulatory compliance.
Organizations must comply with the standards set out by the specific frameworks that apply to their industry. Non-compliance can lead to hefty fines and even jail time.
For example, healthcare organizations must comply with the Healthcare Insurance Portability and Accountability Act (HIPAA), a law that defines uniform standards for transferring health information among healthcare providers, health plans, and clearinghouses.
Laws such as HIPAA often have requirements regarding cybersecurity, including risk assessments and cyber risk assessments. (HIPAA, for example, has detailed requirements for all of those subjects.)
Two other popular frameworks are the NIST Cybersecurity Framework and the ISO 27000 family of standards.
The NIST Cybersecurity Framework (NIST CSF) was developed in collaboration with the private sector and government agencies, and is most commonly used by businesses in the United States. It addresses the essential components of cybersecurity: identification, detection, protection, response, and recovery.
Although NIST CSF’s original intent was to help protect critical infrastructure, many organizations apply the guidelines to their own cybersecurity policies and practices, whether they are critical infrastructure businesses or not.
ISO 27000 is a popular framework among international organizations, and is part of a larger growing family of Information Security Management Systems standards.
Developed by the International Organization for Standardization (ISO), ISO 27000 covers not only an organization’s internal information, but that of third-party vendors as well. ISO 27000 is a living document, continually changing to keep up with new information, and provides ongoing guidance.
Other specialized cybersecurity frameworks include
- The General Data Protection Regulation (GDPR), an EU law that sets guidelines for the collection and processing of sensitive data from users who live in the European Union.
- The Payment Card Industry Data Security Standard (PCI-DSS), which specifies that all companies that accept, process, store, or transmit credit card information must maintain a secure network environment.
- The Family Education Rights and Privacy Act (FERPA), a federal law that protects the privacy of student education records.
Each framework is designed as a set of guidelines that businesses within specific industries must follow to be compliant.
The depth and scope of your cyber risk assessment process will depend on which regulatory frameworks your organization needs to comply with. (And it’s quite possible that you will need to comply with more than one.)
While each industry has different compliance requirements, the fundamentals remain the same. Follow these key guidelines when performing a cyber risk assessment:
- Determine information value. It’s best to limit your scope to the most business-critical assets, so spend time defining a standard for determining the importance of each asset. Include asset value, legal standing, and business importance; and then classify each asset as critical, major, or minor.
- Identify and prioritize assets. To determine the scope of the assessment, identify assets and prioritize which assets to assess first. Not all assets have the same value, so you will need to create a list of your most valuable assets and gather the following information:
- Software
- Hardware
- Data
- Interface
- End-users
- Support personnel
- Purpose
- Criticality
- Function requirements
- IT security policies
- IT security posture
- IT security architecture
- Network topology
- Information storage protection
- Information flow
- Technical security controls
- Physical security controls
- Environmental security
- Identify cyber threats. A cyber threat is a vulnerability that can be exploited to breach security to cause harm or steal data from your organization. Identify threats such as hackers, malware, and other IT security risks, but also consider natural disasters, system failures, human error, adversarial threats, unauthorized access, misuse of information by authorized users, data leaks, loss of data, and service disruption.
- Identify vulnerabilities. After you’ve identified the threats facing your organization, you’ll need to assess their impact. A vulnerability is a weakness that a threat can exploit. Vulnerabilities are identified through vulnerability assessment, audit reports, the NIST vulnerability database, vendor data, incident response teams, and software security analysis. Vulnerabilities can be both software-based and physical; how you reduce organizational vulnerabilities will depend on the type.
- Analyze controls and implement new controls. Controls can be implemented through technical means including hardware or software, encryption, intrusion detection mechanisms, two-factor authentication, automatic updates, or continuous data leak detection. They can also be implemented through nontechnical means such as security policies or physical mechanisms like locks or keycard access. Controls should be classified as preventative or detective.
- Preventative controls attempt to stop attacks like encryption, antivirus, or continuous security monitoring.
- Detective controls try to discover when an attack has occured like continuous exposure detection.
- Calculate the likelihood and impact of various scenarios on a per-year basis. Identify the chances of each cyber risk occurring, and the potential impact if the risk does occur. Revisit those calculations annually, taking into account new lines of business, operating systems, security threats, and so forth.
- Prioritize risks based on the cost of prevention versus information value. Determine actions for senior management or other stakeholders for risk mitigation using risk level:
- High: corrective measures to be developed as quickly as possible
- Medium: corrective measures developed within a reasonable time period
- Low: decide whether to accept the risk or mitigate
- Document results from risk assessment reports. A risk assessment report will help managers make decisions about budget, policies, and procedures. For each identified threat, the report should describe risk, vulnerabilities, and value, along with the impact and likelihood of occurrence, and control recommendations.
This process will ultimately help you understand your IT infrastructure, what your most valuable data is, and how you can better operate and secure your business.
Managing your risk assessments
Create a risk assessment policy that defines what your organization must do periodically, how risk should be addressed and mitigated, and how your organization should carry out subsequent IT infrastructure risk assessments.
Ideally, a dedicated in-house team will process your risk assessments. Depending on your industry and the size of your organization, however, assembling a complete risk assessment team may be difficult.
Larger organizations may have their internal IT teams lead the effort, but businesses that lack an IT department might need to outsource the task to a firm that specializes in IT risk assessment.
No matter the size of your organization or your industry, GRC software can help.
Schedule a demo with ZenGRC today.
Whether your organization has its own IT team to conduct a cyber risk assessment, or it outsources the task to an IT risk assessment company, ZenGRC can help make the process easier for you.
ZenGRC from Reciprocity is a governance, risk, and compliance platform that can help your organization implement, manage, and monitor your cyber risk management framework as well as remediation tasks.
Helping you prioritize tasks so that everyone knows what to do and when to do it, ZenGRC includes user-friendly dashboards that makes it easy to review “to do” and “completed” tasks.
ZenGRC’s “single source of truth” audit-trail document repository also lets you quickly access the evidence you need when audit time rolls around, including data confidentiality, integrity, and availability as required by law.
ZenGRC is also equipped to help your organization streamline management for the entire lifecycle of all your relevant cybersecurity risk management frameworks including PCI-DSS, HIPAA, and more.
Contact us today for a free consultation and demo to get started on the path to worry-free cyber risk management, the Zen way.