By Mark Lanterman, Chief Technology Officer, Computer Forensic Services
Carolyn Engstrom, Director of Corporate Compliance
In the first article of this series, I described the role of maturity assessment as a part of a robust security program. Following a maturity assessment, which defines how capably management desires a program to operate, a security assessment identifies the risks to organizational assets, based on particular threats and vulnerabilities. This test serves to determine the probability of a threat being realized, assesses current controls, and calculates the residual risk that still exists in spite of these controls. Security assessments are a subset of an organization’s overall risk management practice.
Following a maturity assessment which defines management desires and expectations and a gap assessment which communicates the differences between an organization’s current and desired security posture, a security assessment helps establish security governance by providing an independent check on information technology staff, increased awareness of security risks and threats, prioritization of IT spending for the purposes of risk mitigation, and provides the basis for comparative annual analysis of an organization’s security program.
At this point, it may be surprising to think that penetration testing is separate from the security assessment phase of developing a strong cybersecurity policy. The security assessment is a preliminary step that ideally occurs before a penetration test, as the likelihood of threats and risks are developed at this stage. The impact and calculation of residual risk in addition to the identification of mitigation activities also occurs during the security assessment.
The first step in a security risk assessment is to identify prioritized assets. Cybersecurity resources should be devoted to the assets that would cause the most damage to an organization if they were to be compromised. Examples include intellectual property, customer lists, servers, applications, and physical location.
The second step is to identify potential threats to the assets. A threat is simply an undesirable event aimed at an asset or group of assets that could result in loss, improper disclosure, or damage. While a denial of service, malicious code and disclosure/exfiltration of data are examples of cybersecurity threats, fraud errors and sabotage are additional threats to a company’s IT assets that are physically-based.
A threat to an organization is only successful if a vulnerability is exploited, either because of a flaw in an existing control or because no control was implemented. With this in mind, it should be noted that threats do not cease to exist when faced with strong cybersecurity protocols. While threats associated with our technological world do not necessarily diminish, an organization’s ability to cope with them and reduce risk increases with levels of security strength.
Vulnerabilities, like controls, can be administrative, physical, or technical in nature. Administrative vulnerabilities relate to design flaws in policies or procedures. Physical vulnerabilities are deficiencies in personnel, location, or utilities and include flaws in awareness training, background checks, or lack of electrical backup, among others. Technical vulnerabilities are weaknesses in the logical controls such as flaws in application or operating system code or password misconfigurations.
Risk is the loss to assets that results if a threat is successful. This is the core concept of any security program, the crux upon which all security activities and goals rest. Controls, also known as safeguards, are the activities and techniques employed by organizations to reduce risk. A discussion of the relationship between risk and controls will be further covered in the third article of this series.
To complete a security assessment, an assessor will conduct interviews with relevant stakeholders. As threats, risks, and their impact become more complex, it is important that an assessor collects information beyond the IT department. Everyone has a role to play in effective cybersecurity practices. Documentation regarding an organization’s administrative, physical, and technical controls is imperative to develop an understanding of potential risks and threats and their impact on an organization. Remember identifying possible consequences is especially difficult since the risks are multi-faceted and may include damage to an organization’s finances, reputation, compliance, and operations.
Frameworks that are typically leveraged for a security risk assessment include the National Institute of Standards and Technologies Special Publication 800-30 Guide for Conducting Risk Assessment, International Standards Organizations’ ISO 27001/2 XX, and ASIS International, The General Security Risk Assessment Guideline.
The above resources provide guidance for many parts of the security risk assessment process, including the calculation of risk. Calculating risk is usually a hybrid of quantitative and qualitative measures. While quantitative measures are more desirable due to their objectivity, in practice, risk is usually presented in quantifiable measure, such as dollars lost, as well as qualitative high, medium, and low assessments. Residual risk represents the risk between the general risk and the controls implemented. Residual risk is low when sufficient controls are implemented and high when there are insufficient controls.
An assessor will document all the threats, vulnerabilities, and risks identified during the review in a report. The report will also include the assessment of risk, its likelihood and impact, consideration of controls, and recommendations for improved security and risk mitigation. A security risk assessment helps establish security governance, provides an independent check on IT staff, and increases awareness of security risk and threats. Combining the maturity assessment and security risk assessment allows an organization to prioritize IT spending by investing resources in implementing safeguards that improve the capability of key areas as well as reducing the greatest risks to the organization.
Unlike a maturity assessment, the results of a security assessment are primarily qualitative. In addition to comprehensive report documenting and evidentiary records, it is at this stage that a security assessor will provide an organization with recommendations for improved security, strengthened controls, mitigation activities, and resolving problems identified during the gap assessment.
In my next article, I will describe a third component of developing a strong cybersecurity protocol, security auditing. Security auditing moves beyond the results of a security assessment to improve upon existing mitigations controls and conclude on their effectiveness over a particular period of time.
[clickToTweet tweet=”The Components of Strong Cybersecurity Plans Part Two: Security Assessment” quote=”The Components of Strong Cybersecurity Plans Part Two: Security Assessment” theme=”style3″]