#AmericanCSM #Risk #Assessment
When it comes to risk assessments, there isn’t a one size fits all kind of questionnaire template. You need to figure out what is important to your organization, your organization’s approach to governance, and the organization’s risk tolerance. There are lots of guides and thousands of canned questions to choose from, but it really depends on having the knowledge to ask the right questions about your specific organization.
- First, you need to identify what information your business manages. As they say, you can’t protect something you don’t know exists. List as many of these assets as you can. Create a table because you will fill in information, as seen below, about each asset.
- Second, you must figure out what the asset is worth. You can either use a dollar value or high/medium/low scoring system. Play the ‘what if’ game: What would happen if this asset was hacked? What would happen if this asset was stolen? What would happen if this asset wasn’t available for 24/48/72 hours?
- Third, create some attributes about the asset. Who owns it? Does it rely on a third-party? Where is it physically located? How quickly can I actually access it? Type of information (PII, PCI, PHI)? How quickly will I know if it is gone?
- Next, think about the impact that asset has on your business. Again, either dollar value or a high/medium/low scoring system.
- Now, understand the likelihood of specific threats and vulnerabilities. Using something like the National Vulnerability Database (NVD), US-CERT, or InfraGard you can get a list of common threats. This will help you prioritize the areas of focus.
With all this information you should get a great picture of where to concentrate your efforts. After this exercise you’ll know what you want to protect and whether or not it is protected to the appropriate value that it is worth.
A full risk assessment should be done on the assets which you determined are high risk, high value and have a high impact on your business. So, start simple and with something everyone can agree on. Start with determining your critical assets, what are your company’s crown jewels? The things that must be protected above all else. It should be easier to design a set of questions that will help you determine if these assets are well protected or not.
For small to midsized businesses, the CIS Top 20 Critical Controls is a good place to start, in order to define a set of standard security controls. Also, NIST has a great document Small Business Information Security: The Fundamentals to review.
There are also some simple things you can do today, even before you do the risk assessment:
- Always encrypt sensitive information both in transit and in storage
- Understand your data retention policy – if you don’t have the data, it can’t be compromised
- Limit access to information – the fewer people that can access it the better
- Create a good password policy – and enforce it!
- Patch your systems – as often as possible or at least know why they are not patched
- Ensure good boundary protection – including wireless access points and BYOD
- Train your employees on good security hygiene
Need help realizing the benefits of a risk assessment or need to turn your analysis into a Security and/or Privacy Strategy, please contact us at American Cyber Security Management today.
*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts.