Conducting a Security Risk Assessment
A Security Risk Assessment is an on-going process of discovering, addressing and preventing an organization’s security problems. With the digitization of businesses and the standardization of cloud computing, a Security Risk Assessment is a must for businesses today. This amplifies the responsibility that IT departments and IT vendors play in successfully assessing and mitigating an organization’s risks. For new companies, a Risk Assessment is often what spurs organizations to invest in IT management. As an organization, it is essential that your Risk assessment unearths existing security weaknesses as the assessment tends to serve as the road map to the development or update of your IT environment. At Alpen Technology Group, our Security Risk Assessments are broken into three main buckets that help you protect what is most important: Risk Assessment, Risk Mitigation, and Evaluation.
Security Requirements & Objectives
The first step in the risk assessment is to establish what level of security your organization is looking to maintain. Depending on the industry you work in and the services you provide, there might be a baseline level of security required to do business. For example, a hospital, a business that works with Protected Health Information (PHI) will require a different level of security than a manufacturing plant. Once the security level has been decided, you need to take inventory and document your organization’s security infrastructure. Your organizations infrastructure is made up of your IT environment, Office Infrastructure, and security policies. Documentation will include items such as network diagrams, floor plans, building security, hardware inventory, security systems documentation, etc.
The next step in the risk assessment is to layout the requirements of the security level your organization wishes to maintain in order to unearth the vulnerabilities in your existing infrastructure. A checklist made up of yes or no questions and short answer questions is the best way to layout the items that need to be covered to maintain the required level of security. This checklist should cover both physical and digital security as vulnerabilities in both physical and digital infrastructures create risk. Is an ID required to access the building? Do non-employees ever access the network? Is there a backup power source in place? Armed with the documentation collected in Step 1, questions like this that seek to unearth vulnerabilities and the risks associated with them.
Once vulnerabilities have been unearthed, the next step is conducting an impact analysis. An impact analysis is used to measure how expensive and/or harmful an exploited vulnerability would be. Depending on the size of the organization and the nature of their services, the impact of vulnerabilities varies. For a company that holds millions in inventory, Physical vulnerabilities would likely have a larger impact than an online based company with its information and services stored in the cloud. While the result of an exploited vulnerability could vary from breaches in confidentiality to a direct loss of assets, quantifying impact is necessary and essential. Knowing the impact of an exploited vulnerability helps you understand which areas of security need the most attention.
Course of action
After discovering your organization’s vulnerabilities and their potential impact, the next step is figuring out what to do next. There are ultimately three options:
Risk assumption: If the impact analysis reveals a low risk vulnerability and a cost-benefit analysis does not support allocating the resources to address the risk, assuming the risk, or deciding not to address it is a reasonable option.
Risk avoidance: In an instance where the vulnerability lies within a system or process that is not an essential piece of the organization, the risk can be avoided by shutting down or discontinuing it.
Addressing vulnerabilities: More often than not, your business will have to take actions to address these vulnerabilities in order to maintain the desired security standard.
Once decisions have been made to minimize risk, you will need to deploy a mitigation strategy. A good strategy often requires involving the whole organization. Addressing physical vulnerabilities requires the facilities department to be involved. HR will need to update policies and educate employees as necessary. For digital vulnerabilities, the IT department or if non-existent, an IT vendor will need to spear head the security overhaul. They would also need to educate employees on any changes that affect their traditional workflow. Only by involving the organization will everyone be on the same-page in reducing intra-organizational security risks.
Evaluation and assessment:
Upon successful completion of a Security Risk Assessment, your organization is at a better and safer place. However, this is just one step in the ever-changing process of keeping your organization secure. While there are certain industries that require a Security Risk Assessment conducted after a certain period, your best bet is to maintain up to date documentation on your organization’s security systems and policies. The security standards set in the first Risk Assessment should be revisited after any major organizational changes such as branching out into a different industry or the on-boarding of major clients that require a vendor that meets certain security standards. With these steps in hand, your organization is positioned to stay ahead of risk and away from making the front page for the wrong reasons!