IT risk assessments can be a great way to gain insight into your organization’s IT environment, risks, and controls. When completed in a methodical and well-scoped manner, IT risk assessments can be an extremely valuable tool for many stakeholders across the organization, including enterprise risk, audit, compliance, and security departments. Not only do IT risk assessments provide a comprehensive view of an organization’s security risk posture, but they also offer insights into the identification and prioritization of evolving threats. Such insights make the treatment and remediation of risks much easier and more effective.
The value an IT risk assessment can provide has only increased as information security threats become more prevalent and cyber attacks continue to target public and private institutions and expose vulnerabilities. The cost and fallout of a cybersecurity or data breach rise each year, in a time when individuals’ privacy has been in the spotlight more than ever.
With an effective IT risk assessment process,companies can enhance their security posture, identify pervasive vulnerabilities, establish strong incident response procedures, and better safeguard sensitive information. Taking a couple of key steps in their IT risk management program, organizations can begin to integrate regular security risk assessments into the risk management process and better manage potential threats to their critical information systems.
What is IT Risk Management?
Before diving into IT risk assessment best practices, it’s important to understand the larger context of IT risk management and even risk management as a whole. Emerging from a mindset that tackling risks in silos was ineffective at best and inadequate at worst, organizations began to move to an overarching risk management strategy that takes a proactive approach to address risks in a cross-functional, systematic, and prioritized way. Various sub-disciplines, like operational risk management (ORM), supply chain risk management (SCRM), and IT risk management (ITRM) branched from the core tenets of risk management and applied those principles to the relevant business operations and departments.
IT risk management takes an overall look at the organization to evaluate risks that impact the criticality of IT systems, threaten the organization’s sensitive data, and affect the security posture, and business processes, goals, and objectives. Once the risks are identified, IT risk management practitioners then establish security controls and mitigation plans to prevent or limit the impact of those identified risks.
The use of security risk assessments, cybersecurity risk assessments, or IT risk assessments — these names are typically interchangeable — helps determine the overall risk level that the identified risks pose to the organization. For this reason, IT risk assessments are a cornerstone of any IT risk management function, providing both a starting point for implementing an IT risk management program and a temperate check to evaluate the organization’s security posture over time.
What is an IT Risk Assessment?
An IT risk assessment is not restricted to a specific form or template, though companies may want to use an existing IT risk management framework, like those provided by the National Institute of Standards and Technology (NIST) or the International Organization for Standardization (ISO), to base their assessments on, at least initially. IT risk assessments focus on the organization’s security risks, the controls in place to address those risks, improvement opportunities, gaps, and recommendations for remediation or risk mitigation.
These security risk assessments can be performed by both internal and external parties, as they do not constitute a formal compliance audit — however, the procedures taken and the documentation used as part of an IT risk assessment can prove very useful in the event of an audit and is a typical requirement of any compliance program. A high-quality cybersecurity risk assessment report can demonstrate to auditors and leadership that the company has performed due diligence to manage risks to critical assets.
Furthermore, because an IT risk assessment is not an audit, companies have the flexibility to determine their own scope. This allows organizations to take a phased approach to risk assessment activities, such as initially evaluating the areas related to high-risk IT infrastructure and systems and eventually extending the scope to become more comprehensive over additional parts of the business. This also makes them more affordable, relevant and focused on areas that would make the greatest business impact.
What are the Components of the IT Risk Assessment Process?
The IT risk assessment process follows a lifecycle of identification, analysis, treatment, and monitoring. This lifecycle ultimately results in a compiled report of identified risks, their accompanying risk score, remediation plans for responding to those risks, and a risk owner who is responsible for carrying out the remediation.
Identification
The first part of a security risk assessment is identification — that is, determining and identifying the risks to your in-scope IT systems. When identifying risks, it’s always wise to ask, “What could go wrong?” Generally, the answers to that question point the way toward discrete security risks that could have a potential impact on the organization.
There are other ways an organization can identify risks throughout the course of the cybersecurity risk assessment process, like learning from security incidents, incorporating penetration testing and vulnerability scanning, and remaining vigilant for general cybersecurity risks.
Learning from Security Incidents
Learning from past security incidents that affected the company, or data breaches that other organizations suffered can be a great, albeit painful, way of identifying risks. Performing a root cause analysis on previous security incidents will reveal the risks that led to the event, providing an opportunity to mitigate and ideally prevent those vulnerabilities from being exploited in the future. Cyber attacks that have succeeded on other organizations can provide valuable insight into the techniques and exploits hackers use, allowing companies to turn the mirror on themselves and understand where they are exposed.
Researching the techniques used by hackers to infiltrate systems and bypass firewalls and other security controls is a great method for identifying risks, as is performing penetration testing.
Penetration Testing
Penetration testing, sometimes known as “ethical hacking,” occurs when IT professionals attempt to exploit weaknesses in an organization’s security to gain access to their information systems and sensitive data. These weaknesses are then analyzed and summarized in a report, with recommendations for remediation.
Penetration testing takes a deeper, technical dive into your organization’s information security configurations, data security measures, access controls, security automation, and authentication mechanisms and simulates the activities of hackers directly, making them valuable tools for the modern IT security department.
General IT Risks
As part of an IT risk assessment, your organization can expect assessors to inspect and evaluate certain security policies, configurations (like firewall rule sets), and even business processes to understand and identify where risks may lie. General cybersecurity considerations, like access controls, authentication, password management, and change management all form part of a business’s IT landscape and can carry risks with them. Weak passwords and authentication security make it easier for hackers to gain unauthorized access to sensitive information, while poor change management controls can result in product bugs, inaccurate data, or service outages, which pose a reputational risk to the organization. These risks should also be represented in an IT risk assessment, and addressed with corresponding security controls.
Analysis
Risk analysis follows risk identification. This step involves evaluating the likelihood that a risk will be realized and the impact to the business should the risk occur. The likelihood, as it sounds, takes into the account the probability that the risk event or condition will occur. The impact analysis takes into account the severity of the effect should the risk be realized — is it catastrophic, or is it negligible? The higher the risk’s impact and likelihood, the more significant the risk, typically referred to as the inherent risk score. On the other hand, a low risk would have a low likelihood of occurring and/or a low impact if it did occur.
The combined risk score indicates how the risk response strategy should be prioritized — which risks need to be mitigated right away, and which ones can be deprioritized or be completed at a later time. Using a risk assessment matrix combined with a heatmap makes visualizing risks much easier and more dynamic.
Treatment
After a risk has been identified and assessed, it can then be assigned a response and action plan. When it comes to IT risk management, there are four major categories of risk treatments: acceptance, avoidance, transference, and mitigation.
Risk Mitigation
Risk mitigation is the treatment used when the organization addresses risks through security controls, processes, or information technology solutions. The aim of mitigation is to reduce either the likelihood that a risk will be realized or the impact should the risk be realized. Mitigating a risk will leave some residual risk — which is why the IT risk management process is cyclical. Risks must be revisited periodically to ensure that they are being treated appropriately and that the controls that have been implemented to mitigate the inherent risk are effective.
Risk Transference
Risk transference involves treating a risk by transferring some or all of the risk to a third party, like outsourcing your company’s data centers, or purchasing cybersecurity insurance. Most of the time, the transferring party will retain some of the risk, and may still have to implement controls or processes to adequately manage the risk.
Risk Avoidance
Avoiding a risk is simple — the company chooses not to make the decision that would incur the risk. This might include turning down a deal, choosing not to migrate to a new service provider, or keeping a product UI the same as previous versions.
Risk Acceptance
Organizations accept a risk when it is within their tolerable risk appetite thresholds to do so. There may be no other option available than to accept a risk — such as accepting the risk of natural disasters occurring, or geopolitical conditions changing. Accepted risks should be reassessed at least annually to ensure the determined strategy remains acceptable.
Monitoring
Monitoring and periodically updating security risk assessments is a critical component of the IT risk assessment process. IT security and risk teams should continuously monitor the risks identified during cybersecurity risk assessments, and oversee the progress and completion of mitigation plan activities. Conducting IT risk assessments at a regular cadence, such as annually or quarterly serves as another mechanism to continuously monitor the IT risks and progress towards optimization.
What Information is Included in an IT Risk Assessment?
When undergoing an IT risk assessment, the company may need to prepare and furnish documentation that supports its understanding of its security posture. In order to complete an IT risk assessment, the assessors must have an understanding of the IT environment and systems in scope, which often means reviewing organizational charts, security policies, IT architecture diagrams (like network and infrastructure diagrams), and information asset inventories. Assessors may seek to understand what types of devices are present in the environment, what the key applications in use are, and how database security is handled. They may seek to understand the operating systems and types of databases at play, as well as the encryption and cryptographic protocols in use. A good IT risk assessment will ask questions of the organization about IT controls, security incidents, and the skills and composition of the security team. All of these details and findings should be recorded in the report resulting from the assessment.
An IT risk assessment may even result in a recommendation to perform penetration testing or implement vulnerability scanning in order to combat new and dynamic cyber attacks.
Mitigating Cybersecurity Risks and Combatting Vulnerabilities
While there are many different solutions for addressing IT risks and vulnerabilities, there are some overarching best practices that hold an IT risk management program together.
Vulnerability Scanning and Patching
Since vulnerabilities provide some of the easiest ways for hackers to exploit your organization’s systems, having a proactive vulnerability scanning and management approach can reduce the likelihood that an attacker would be able to take advantage of the exploit. Making sure to regularly review and apply security patches and system updates to IT infrastructure is a big step towards securing your organization’s IT environment.
Another component of keeping your IT environment as CVE-free as possible is making sure that your information technology stays up-to-date and in support. This means installing updates and patches, but also phasing out technology that is no longer supported. Too often, organizations hang on to legacy systems, not wanting to deal with the cost or bureaucracy of decommissioning an asset — even though that system could pose a major risk. Out-of-support technology is especially risky because it means that the provider is no longer releasing updates or security patches for that system, leaving vulnerabilities or exploits wide open.
Vulnerability scanning, regular updates and patching, and asset decommissioning are all difficult to coordinate on their own, let alone together. Setting an annual (or more frequent) cadence for reviewing IT assets and updating the organization’s asset inventory is one way to orchestrate all control activities. Taking advantage of risk management softwareis another.
Security Awareness and Training
It is difficult to create a security and risk-aware culture. Today’s workers have a lot on their plates, and creating strong passwords or remembering to keep an eye out for phishing emails is a lot to ask. And yet, employee behavior serves as the backbone of any security program, and ultimately a mature security risk management program requires a security-aware workforce.
Investing thoughtfully into security awareness and training resources pays companies unseen dividends, keeping employees aware of their security, risk, and compliance obligations, as well as the threats that target them. Putting effort into security updates and reminders, along with explaining the purpose behind cybersecurity measures engages people, and helps them understand why certain controls are required.
Equally important, and outlined specifically in security standards like NIST is the importance of retaining skilled talent, capable and trained to manage cybersecurity risks. Providing training opportunities for IT, security, and/or risk personnel ensures that they remain contemporary in their knowledge and skillsets, and are able to train the next generation of practitioners.
Security By Design
One of the best ways an organization can combat cybersecurity threats and manage IT risks is by embedding principles of security and risk management into business processes, day-to-day operations, and systems, through automation and security by design. New IT projects should include a security stakeholder and require a security review before completion; major code changes should require scanning and reviews before being released to production; new employees need to have their access approved before they receive it. By integrating security considerations with processes, systems, and norms, security activities become less of a burden and simply a part of daily work.
Why Prioritize Cybersecurity?
The price tag of the average data breach is not cheap, ringing in at $4.45 million. If that’s not enough of a reason to prioritize cybersecurity and IT risk management, more and more companies have moved their operations, banking, communications, and HR online and into the cloud — opening themselves to cyber attacks. Now, companies must manage malleable threats in both the digital and physical space, with greater emphasis on productivity and savings. Organizations can’t afford to not invest in cybersecurity when protecting the sensitive data of their customers, partners, and stakeholders when the alternative is so costly. Beyond the cost in currency, companies that suffer a data breach or security compromise must deal with the reputational fallout.
All of this emphasizes that cybersecurity and IT risk management must continue to be invested in and prioritized for companies and organizations. With limited resources and a focus on efficiency, having the right technology solutions in place can help you and your organization take on the challenges of an advanced information technology landscape. AuditBoard’s IT Risk Management solution can help your team track critical assets, prioritize threats, perform quantified assessments, and take an overarching approach to centralize your IT risk management process and program.
Madison Dreshner, CISA, is a Manager of Compliance Solutions at AuditBoard. Madison joined AuditBoard from PwC, where she specialized in external reporting for a wide array of clients, including SOC 1 & 2 reporting, as well as SOX compliance. Connect with Madison on LinkedIn.