Learn about the main steps for conducting a risk assessment for protecting your data and staying compliant
To conduct an effective risk assessment, it is necessary to choose a methodology that is tailored to the needs of your organization. We already discussed and compared the most frequently used risk assessment methodologies in our previous article. These, among others, include ISO 27005, NIST 800-30, and OCTAVE. Choosing the most appropriate one for your company may be a complicated decision. Furthermore, no one methodology can guarantee the identification of all risks or ensure compliance.
Some basic parameters to help organizations determine an effective framework were outlined by ENISA (the European Union Agency for Network and Information Security). The parameters mentioned below are common for all organizations. Thus, when choosing a risk assessment methodology, organizations should take into consideration the following:
The above approach helps organizations clarify and gain a common understanding of the organizational objectives. It also includes identifying the internal environment (business drivers, stakeholders, structure and culture, assets ) in which these objectives are set. Furthermore, the appropriate methodology helps develop a set of risk measurement criteria and define key elements for structuring the risk assessment process. Understanding these factors is the cornerstone for conducting an effective risk assessment.
Most risk assessment methodologies define similar steps to be followed in the scope of the process. This article decompiles the approach outlined in NIST SP 800-30 which provides general guidelines for conducting the risk assessment. The process steps provided in NIST 800-30 are similar to those seen in other methodologies.
The main objective of the step is to establish a scope for the risk assessment (p. 24). It involves the identification of potential threats to the confidentiality, availability, and integrity of sensitive data. This includes data in all forms of electronic and physical media such as computer storage, devices, removable storage, applications, internal and external data transmission lines, and paper records. To establish a scope successfully, organizations should identify the purpose, assumptions, and constraints of the risk assessment. It is also recommended to define what sources of information to use as well as what risk models and approaches to employ. This basic step is essential for starting the risk assessment.
The most challenging and important step in the whole process is the execution. It aims to produce a list of identified security risks that require management actions. To achieve this, organizations should accomplish a set of tasks that, among others, include gathering data, analyzing threats and vulnerabilities, evaluating impacts and likelihood, defining possible uncertainties associated with the risk assessment process. These and other tasks are detailly discussed below:
Once all preparation steps are completed, organizations are recommended to gather data and, above all, identify where sensitive data is stored and processed. Among the most common techniques for gathering data are reviewing past and existing projects; examining documentation; and performing interviews.
Efforts and commitments required for the data gathering process are directly related to the organization’s size and complexity. For instance, organizations that process relatively small amounts of data may perform data gathering by analyzing a single department or location. In contrast, those that operate large amounts of data generally require reviews of multiple (if not all) departments and physical locations, various information systems, and portable electronic media. Therefore, the data gathering techniques vary depending on the organization’s scope and background but this step is considered to be the linchpin of the entire risk assessment process.
The process of gathering data provides a stable background for identifying potential threats and vulnerabilities as the main factors of data security risk. Thus, threat identification is based on creating a categorized list (natural, human, or environmental threats) and identifying those common to the circumstances of the environment in the scope. Thereafter, the complete list should be reduced to the reasonably anticipated threats.
For example, natural threats may be generally determined by geographic location. When considering natural threats, many organizations located on the US coastal areas would define hurricanes as the reasonably anticipated threats. However, organizations in Kansas or Colorado, located in the heart of the mainland, are not exposed to hurricanes. Instead, they would consider the likelihood of a tornado a reasonably anticipated threat.
Human threats arise more frequently than natural or environmental ones and include intentional or unintentional actions that lead to password attacks, social engineering, malware or spyware, Denial of Service, user errors, etc. Anyone who has access, motivation, or knowledge to cause an adverse impact is a threat actor. Among the main threat actors are employees, ex-employees, hackers, commercial rivals, the general public, visitors, customers, and vendors.
Identifying environmental threats occurs in a similar way. These include, but are not limited to, power and equipment failures, natural disasters, fires, water damage, flooding. Identifying threats is critical for the assessment but a comprehensive picture of risks may only be obtained when threats are outlined in combination with vulnerabilities.
To identify vulnerabilities, organizations should use a similar approach used for defining threats. Organizations should create a list of technical and non-technical vulnerabilities, associated with specific threats. Such vulnerabilities may come from knowledge about the organization’s systems and processes, audit reports, vulnerability scans, security testing results, and other sources. Vulnerabilities may also be presented as a lack of control. For example, the lack of anti-malware protection is a vulnerability that exposes the organization to malware attacks.
One more specific task is determining the likelihood of the threat occurrence and the resulting impact. The term “likelihood of occurrence” means the probability that a specific vulnerability will be triggered or exploited by a threat, or, simply, the probability of risk. To perform this, organizations should consider each combination of a threat and vulnerability and rate them by the likelihood that this combination would occur. Likelihood can be expressed as high, medium, and low:
An effective risk assessment requires determining the potential adverse impacts to organizational operations, assets, and individuals in the case when the risk would occur. This, in fact, may have multiple negative outcomes for the organization. Among others, these involve unauthorized access to or disclosure of data; loss or corruption of valuable information; loss of physical assets or cash flows.
All risk assessment methodologies anticipate measuring the impact of potential outcomes that help organizations prioritize risk mitigation activities. The impacts from threat occurrence can be tangible (e.g. resource cost) or intangible (e.g. loss of public confidence or loss of credibility). Measuring the impact of a threat occurring is generally exercised with the help of qualitative and quantitative methods.
Since there is no single correct method, the advantages, and disadvantages of both should be considered. In measuring the impact of the risk, organizations are encouraged to use either of two methods or a combination of both.
When all steps of conducting the risk assessment are completed, organizations are ready to communicate the assessment results. The main aim of this step is to ensure that the organizations gather all information necessary to make informed risk decisions. Communicating and sharing risk-related information usually occurs through accomplishing several tasks. The most commonly used are issuing executive briefings, risk assessment reports, or dashboards. Organizations are free to choose the tone of communication depending on their corporate structure and culture.
To ensure an effective risk management process, the risk assessment process must be maintained. To make the risk assessment helpful for the business decision-making process in guiding risk responses, organizations should keep the specific knowledge of the risk incurred. Maintaining risk assessment requires monitoring identified risks on an ongoing basis; updating the components of risk assessments; incorporating changes detected through risk monitoring. Risk monitoring provides organizations with the essential means for determining the effectiveness of the risk management process.
The suggested process for conducting risk assessments may be modified pertaining to the organizational people, processes, and technologies. However, the steps outlined in this article are common for most risk assessment methodologies.
What to learn more about risk assessments? Read our previous article on this topic.
If you need any help with a risk assessment process or other information security and compliance services, we’ll be happy to assist: