Risk Assessment 101

Shannon Idea generator Vanta Team Member Conversation starter

Performing a Risk Assessment

 
What is a risk assessment?
  • A security risk assessment identifies, assesses, and implements essential security controls in your company’s applications, systems, and procedures. It aims to find areas within your organization that need more security.
Why should I perform a risk assessment?
  • Most cyber-attacks are aimed at small businesses, but only a few are prepared to defend themselves. Breaches can cost a company millions of dollars. An effective risk assessment strategy can improve your security posture and protect your company’s most valuable data and information.
When should I perform a risk assessment? 
  • Once a year, or before a company merger, before a company acquisition, or after deploying new technology.
 
Where should I start?
  • Identify asset inventory and the value of each asset
  • Identify vulnerabilities and threats.
  • Threat Probability & Impact: How likely is this threat to occur, and how much damage will it cause?
  • For a more comprehensive understanding of Vulnerability Scoring, take a look at the National Vulnerability Database
  • Threat Impact and Cost of Protecting your Assets
 

Establishing Risk Assessment Framework

  • Is there any specific compliance the organization is trying to achieve? ie, SOC2, HIPPA, GDPR
  • Each compliance has a framework of policies that must be monitored and assessed. 
  • What can be done to create a risk assessment framework structured around compliance? 
    • Perform company-wide security training
    • Employees receive targeted training relevant to their role
    • Managers meet with direct reports weekly to review their work
    • Managers are responsible for mentoring and providing guidance to increase staff awareness of security policies 
    • Leverage tools that detect and alert asset misconfigurations and vulnerabilities 
    • For a comprehensive guideline of policies, check out this list of helpful security policies
 
 
Continuous Risk Assessment
  • Risk assessment & vulnerability management is a continuous cycle!
  1. Discover: What assets are available? 
  2. Assess: How Valuable are these assets to our company, and what vulnerabilities have we found in them?
  3. Report: What have we found, who should be involved, and what is our plan moving forward?
  4. Remediate: Take action and fix the issues
  5. Verify: Confirm vulnerabilities have been patched and compliances are met 
  6. Repeat the cycle!

Comments

8 comments

Date Votes
  • Comment author
    Taylor Buckler Vanta Team Member Conversation starter Great answers

    Pro tip! In Vanta, we'll already provide you with examples. :)

    3
  • Comment author
    Michael Argast Vanta Partner Conversation starter Idea generator

    I love the fact that this is central to Vanta. A couple of thoughts I'd love to share as someone who has done a bunch of this analysis for clients:

    1. Assets need to include data.

    2. Risk impacts need to be relative, not absolute. The impact of a $1M loss on a 10 person startup can be existential, on a 1000-person tech firm it is painful but completely manageable in most cases.

    3. I tend to focus on risks that are "bad things that can happen" rather than vulnerabilities (I call these contributing factors). So, a successful Ransomware attack is a Risk with a probability and impact, but the vulnerability or phishing attack or malware that led to it is a "contributing factor". This gives you a more manageable list of risks to work with and allows you to have an executive conversation about risk that is more comprehensive than "We haven't updated Struts on our Apache Server".

    I'm not sure there's a ton of value in leveraging CVSS scoring - yes, it's a nice metric but doesn't really give you system or threat centric risk in a useful way. IMHO. ;-)

    2
  • Comment author
    Lucien Pinto Community Founding Member Conversation starter Idea generator

    The risk scenarios examples provided are really helpful, thanks :) !

    1
  • Comment author
    Shannon Idea generator Vanta Team Member Conversation starter

    Thanks, Lucien! Welcome to the Community - we are so excited to have you here! And CONGRATULATIONS on being our first founding member! We'll be in touch soon with more details, your badge, and Vanta Swag! 

    1
  • Comment author
    Alex McMillan Community Founding Member Great answers

    I kid, I kid!

    Welcome and congrats Lucien, and all. Very cool to see a Vanta community!

    4
  • Comment author
    Lucien Pinto Community Founding Member Conversation starter Idea generator

    Wow, it's such an honor, Shannon :) ! 

    I've been passionate about Vanta since the first days so I'm more than honored to be the..... first founding member :) !

    Thanks again for it and the upcoming gear :) !

     

     

    2
  • Comment author
    Lucien Pinto Community Founding Member Conversation starter Idea generator

    Thanks Alex McMillan :) ! Your picture is adequate :) !

    2
  • Comment author
    Lucas Galvão Conversation starter Vanta Partner

    Performing a risk assessment is non-negotiable for any serious organization aiming to fortify its security posture and shield its critical data. As a professional, I swear by tools like Vanta, leveraging their automation and AI prowess to streamline the process. Vanta ensures meticulous identification, assessment, and implementation of security controls across the board, aligning with compliance standards effortlessly. It's about staying ahead of the game, mitigating risks with precision, and maintaining that unyielding edge in today's ever-evolving threat landscape. Vanta is the best!

     

    0

Please sign in to leave a comment.