Best Practices for Information Security Risk Assessments
In an age when businesses are relying more than ever on the rapid advancements in technology to drive innovation, strategy, growth and competitive advantage, it is clear the prevalence of technology is not slowing down. But the increase in new devices and systems that utilize connectivity, as well as the transition to the network of devices and systems that were traditionally air-gapped, brings with it an increased cybersecurity risk.
Organizations large and small are attempting to defend against a constant barrage of potentially damaging cybersecurity attacks and struggling to keep up. Increasingly, they are finding that the best approach is taking a proactive, risk-based approach. By repeatedly conducting risk assessments, a holistic understanding of the organization’s risk landscape can be developed. Gaps that exist among people, processes and technology can be utilized to develop a prioritized roadmap for managing and tracking risk over time. The organizations gain the ability to make informed business decisions and move away from a reactive, whack-a-mole approach to cybersecurity.
Policies and Procedures Are the Foundation
Strong cybersecurity policies and procedures are the foundation of a robust security program. A risk assessor can glean a significant amount of insight into the maturity of an organization’s cybersecurity program simply by looking at a few key cybersecurity policies and procedures. This allows the assessor to gain valuable insight on the culture of cybersecurity within the organization, the reporting structure within the organization and the types of technologies present within the organization. It also ultimately allows the assessor to drive discovery of information efficiently. This quick and efficient information discovery is especially important for external assessors or those who don’t already have an intimate understanding of the organization.
Documentation Is Not Implementation
Having a strong cybersecurity posture on paper does not mean much if it is not implemented. It’s why conducting interviews of personnel is so important in a risk assessment and why the phrase “Trust but verify” is often half-facetiously repeated by cybersecurity professionals.
When seeking to verify through conducting interviews, it’s tempting to simply go down a list of specific and tailored questions, likely from a framework or compliance standard.
Questions like “Does your organization implement a cybersecurity training and awareness training program?” are to the point, brief and elicit information the assessment framework is looking to find, but they are not the best way to conduct interviews. Risk assessments are not audits, and getting a yes/no answer to a question is not nearly as valuable as taking the time to develop a comprehensive understanding. By having a guided cybersecurity conversation and not simply going through a list of questions, an assessor is able to glean more information on an organization’s risk and develop more valuable findings and recommendations.
Start Broad and Go Narrow
When conducting interviews, start at a 10,000 -foot level of the topic being discussed, then use the framework as a general guide to steer the conversation and narrow down to specifics. Risk assessors should first ask
- Page 1
- Page 2