Any organization that uses information technology should conduct cybersecurity risk assessments. That said, every organization faces its own unique set of security risks, and needs to take its own unique approach to solve them.
A cybersecurity assessment examines your organization’s security controls stacked against known vulnerabilities. The overall goal is to evaluate and understand your organization’s cyber resilience. For example, how effectively can your company respond to a breach and keep your critical business processes working with little or no interruption?
Regulators and standard-setting bodies recognize that different industries must take different approaches to guard their information systems. So when performing your cybersecurity assessment, it’s crucial to compare your operations against industry norms (and regulations) relevant to you.
What is a Cyber Risk Assessment?
A cyber risk assessment is your first step toward developing a mature cybersecurity program. It shows you the cyber risks you have.
Cyber risk is the likelihood that your organization will suffer disruptions to data, finances, or business operations online. Usually cyber risks are associated with events that could result in a data breach. Examples include ransomware, data leaks, phishing, malware, insider threats, and cyberattacks.
Cyber risk assessments are defined by the National Institute of Standards and Technology (NIST) as risk assessments “used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations… resulting from the operation and use of information systems.”
The purpose of a cyber risk assessment is to help inform stakeholders and decision-makers about the risks they face and support proper risk responses. Cyber risk assessments also provide an executive summary to help stakeholders make informed security decisions.
Why is a Cybersecurity Risk Assessment Important?
The types of data most at risk for cyberattacks vary depending on your industry. The data targeted most often includes personally identifiable information (PII), customer data, employee data, intellectual property, lists of third- and fourth-party vendors, product quality and safety data, contract terms and pricing, strategic planning, and financial data.
Without a cyber risk assessment to inform your cybersecurity choices, your organization could waste time, effort, and resources protecting the wrong things. While it’s essential to defend against events that are likely to occur, it’s just as important to avoid preparing for events that are unlikely to occur or won’t cause much harm to your organization if they do.
How Do You Assess Cyber Risk by Industry?
To conduct a cyber risk assessment that considers the factors unique to your industry, start by complying with the frameworks applicable to your sector.
For example, healthcare organizations must comply with the Healthcare Insurance Portability and Accountability Act (HIPAA). This law defines uniform standards for transferring health information among healthcare providers, health plans, and clearinghouses. Laws such as HIPAA often have requirements regarding cybersecurity, including risk assessments and cyber risk assessments. (HIPAA, for example, has detailed requirements for all subjects.)
Two other popular frameworks are the NIST Cybersecurity Framework and the ISO 27000 standards.
The NIST Cybersecurity Framework (NIST CSF) was developed in collaboration with the private sector and government agencies, and is most commonly used by businesses in the United States. It addresses the essential components of cybersecurity: identification, detection, protection, response, and recovery.
Although NIST CSF’s original intent was to help protect critical infrastructure, many organizations apply the guidelines to their cybersecurity policies and practices, whether they are critical infrastructure businesses or not.
ISO 27000 is a popular framework among international organizations and is part of a larger family of Information Security Management Systems standards.
Developed by the International Organization for Standardization (ISO), ISO 27000 covers an organization’s internal information and that of third-party vendors. ISO 27000 is a living document, continually changing to keep up with new information, and provides ongoing guidance.
Other specialized cybersecurity frameworks include:
- The General Data Protection Regulation (GDPR), an EU law that sets guidelines for collecting and processing sensitive data from users who live in the European Union.
- The Payment Card Industry Data Security Standard (PCI-DSS), which specifies that all companies that accept, process, store, or transmit credit card information must maintain a secure network environment.
- The Family Education Rights and Privacy Act (FERPA) is a U.S. federal law that protects the privacy of student education records.
Each framework is designed as a set of guidelines that businesses within specific industries must follow to comply.
The depth and scope of your cyber risk assessment will depend on which regulatory frameworks your organization needs to comply with. You may need to comply with more than one.
How to Get Started
While each industry has different compliance requirements, the fundamentals remain the same. Follow these essential guidelines when performing a cyber risk assessment:
- Determine information value. It’s best to limit your scope to the most business-critical assets, so spend time defining a standard for determining the importance of each asset. Include asset value, legal standing, and business importance, and then classify each asset as critical, major, or minor.
- Identify and prioritize assets. To determine the scope of the assessment, identify assets and prioritize which ones to assess first. Not all assets have the same value, so you will need to create a list of your most valuable assets and gather the following information:
- Support personnel
- Function requirements
- IT security policies
- IT security posture
- IT security architecture
- Network topology
- Information storage protection
- Information flow
- Technical security controls
- Physical security controls
- Environmental security
- Identify cyber threats. A cyber threat is a vulnerability that can be exploited to breach security to cause harm or steal data from your organization. A cybersecurity risk analysis identifies hazards such as hackers, malware, and other IT security risks; and also considers natural disasters, system failures, human error, adversarial threats, unauthorized access, misuse of information by authorized users, data leaks, loss of data, and service disruption.
- Identify vulnerabilities. After identifying your organization’s threats, you’ll need to assess their impact. Exposure is a weakness that a threat can exploit. Vulnerabilities are identified through a vulnerability assessment, audit reports, the NIST vulnerability database, vendor data, incident response teams, and software security analysis. Vulnerabilities can be software-based or physical; how you reduce organizational vulnerabilities will depend on the type.
- Analyze controls and implement new rules. You can implement controls through technical means, including hardware or software, encryption, intrusion detection mechanisms, two-factor authentication, automatic updates, or continuous data leak detection. They can also be implemented through nontechnical means such as security policies or physical tools like locks or keycard access. Controls can be preventative or detective.
- Preventative controls attempt to stop attacks through encryption, antivirus, or continuous security monitoring.
- Detective controls try to discover when an attack has occurred, like continuous exposure detection.
- Calculate the likelihood and impact of various scenarios on a per-year basis. Identify the chances of each cyber risk occurring and the potential harm (ideally in financial terms) if the risk does occur. Measure those risks annually, considering new lines of business, operating systems, security threats, and so forth.
- Prioritize risks based on the cost of prevention versus information value. Determine risk mitigation steps that senior management or other stakeholders will need to take, depending on risk level:
- High: corrective measures to be developed as quickly as possible
- Medium: corrective measures developed within a reasonable period
- Low: decide whether to accept the risk or mitigate
- Document results from risk assessment reports. A risk assessment report will help managers decide on budgets, policies, and procedures. For each identified threat, the information should describe risk, vulnerabilities, and value, along with the impact and likelihood of occurrence and control recommendations.
This process will help you understand your IT infrastructure, your most valuable data, and how you can better operate and secure your business.
Managing Your Risk Assessments
Even fairly small businesses could find that they need to perform multiple risk assessments, guided by multiple security frameworks. To avoid “assessment overload,” create a risk assessment policy that defines what your organization must do periodically, how risk should be addressed and mitigated, and how the organization should carry out subsequent IT infrastructure risk assessments.
Ideally a dedicated in-house team will process your security risk assessments, but assembling a complete risk assessment team may be difficult depending on your industry and the size of your organization. Larger organizations may have their internal IT teams lead the effort. Businesses that lack an IT department might need to outsource the task to a firm specializing in IT risk assessment.
No matter the size of your organization or your industry, a risk management software can help.
Schedule a Demo With ZenRisk Today.
Whether your organization has its own IT team to conduct a cyber risk assessment or outsources the task to an IT risk assessment company, ZenRisk can help make the process easier for you.
ZenRisk from Reciprocity is a governance, risk, and compliance platform that can help your organization implement, manage, and monitor your cyber risk management framework and remediation tasks.
Helping you prioritize tasks so that everyone knows what to do and when to do it, ZenRisk includes user-friendly dashboards that make it easy to review “to do” and “completed” tasks.
ZenRisk’s “single source of truth” audit trail document repository lets you quickly access the evidence you need when audit time rolls around, including data confidentiality, integrity, and availability as required by law.
ZenRisk is also equipped to help your organization streamline management for the entire lifecycle of all your relevant cybersecurity risk management frameworks, including the Payment Card Industry Data Security Standard (PCI-DSS), HIPAA, and more.
Try it free and get started on the path to worry-free cyber risk management, the Zen way.