Risk Assessment 101
Performing a Risk Assessment
What is a risk assessment?
- A security risk assessment identifies, assesses, and implements essential security controls in your company’s applications, systems, and procedures. It aims to find areas within your organization that need more security.
Why should I perform a risk assessment?
- Most cyber-attacks are aimed at small businesses, but only a few are prepared to defend themselves. Breaches can cost a company millions of dollars. An effective risk assessment strategy can improve your security posture and protect your company’s most valuable data and information.
When should I perform a risk assessment?
- Once a year, or before a company merger, before a company acquisition, or after deploying new technology.
Where should I start?
- Identify asset inventory and the value of each asset
- Identify vulnerabilities and threats.
- Threat Probability & Impact: How likely is this threat to occur, and how much damage will it cause?
- For a more comprehensive understanding of Vulnerability Scoring, take a look at the National Vulnerability Database
- Threat Impact and Cost of Protecting your Assets
Establishing Risk Assessment Framework
- Is there any specific compliance the organization is trying to achieve? ie, SOC2, HIPPA, GDPR
- Each compliance has a framework of policies that must be monitored and assessed.
- What can be done to create a risk assessment framework structured around compliance?
- Perform company-wide security training
- Employees receive targeted training relevant to their role
- Managers meet with direct reports weekly to review their work
- Managers are responsible for mentoring and providing guidance to increase staff awareness of security policies
- Leverage tools that detect and alert asset misconfigurations and vulnerabilities
- For a comprehensive guideline of policies, check out this list of helpful security policies
Continuous Risk Assessment
- Risk assessment & vulnerability management is a continuous cycle!
- Discover: What assets are available?
- Assess: How Valuable are these assets to our company, and what vulnerabilities have we found in them?
- Report: What have we found, who should be involved, and what is our plan moving forward?
- Remediate: Take action and fix the issues
- Verify: Confirm vulnerabilities have been patched and compliances are met
- Repeat the cycle!
Pro tip! In Vanta, we'll already provide you with examples. :)
I love the fact that this is central to Vanta. A couple of thoughts I'd love to share as someone who has done a bunch of this analysis for clients:
1. Assets need to include data.
2. Risk impacts need to be relative, not absolute. The impact of a $1M loss on a 10 person startup can be existential, on a 1000-person tech firm it is painful but completely manageable in most cases.
3. I tend to focus on risks that are "bad things that can happen" rather than vulnerabilities (I call these contributing factors). So, a successful Ransomware attack is a Risk with a probability and impact, but the vulnerability or phishing attack or malware that led to it is a "contributing factor". This gives you a more manageable list of risks to work with and allows you to have an executive conversation about risk that is more comprehensive than "We haven't updated Struts on our Apache Server".
I'm not sure there's a ton of value in leveraging CVSS scoring - yes, it's a nice metric but doesn't really give you system or threat centric risk in a useful way. IMHO. ;-)
The risk scenarios examples provided are really helpful, thanks :) !
Thanks, Lucien! Welcome to the Community - we are so excited to have you here! And CONGRATULATIONS on being our first founding member! We'll be in touch soon with more details, your badge, and Vanta Swag!
I kid, I kid!
Welcome and congrats Lucien, and all. Very cool to see a Vanta community!
Wow, it's such an honor, Shannon :) !
I've been passionate about Vanta since the first days so I'm more than honored to be the..... first founding member :) !
Thanks again for it and the upcoming gear :) !
Thanks Alex McMillan :) ! Your picture is adequate :) !
Please sign in to leave a comment.