How to develop a cybersecurity risk assessment
Previously, we shared how to reduce the risk of cybersecurity threats through education and training.
Risk management is a also key component in reducing the risk of cybersecurity threats. The basic tenets of risk assessment can be applied to developing a cybersecurity risk management plan.
Risk is generally assessed by identifying threats and vulnerabilities and then determining the likelihood of those threats occurring, along with the potential impact of an occurrence. This process requires a champion to organize and ensure all business areas and information assets are identified.
There are four main steps to performing a risk assessment, which include:
- Identify and classify information assets: identify the critical information assets that your organization manages. This information may include automated as well as non-automated data such as records, files and databases of customer or company information needed to support the business. These assets should then be classified by type and criticality. From this exercise, you should be able to determine the information that needs to be protected to ensure confidentiality, integrity and availability (known by auditors as CIA).
- Identify threats: threats can be people, organizations or even an act of nature. They can be intentional, malicious, natural disasters, unintentional, software or hardware failures or computer viruses, among other things.
- Identify vulnerabilities: vulnerabilities take different forms. They could result from inadequate physical security or insufficient segregation of duties, as well as network security weaknesses. These weaknesses can be exploited to gain access to critical systems and information assets, impacting the confidentiality and integrity of data. When identifying vulnerabilities, assess the type of weakness and the information asset(s) that would be impacted.
- Analyze for likelihood and impact: due to certain inherent risks with information security, the likelihood and impact of threats is high. As the likelihood and potential impact of a threat increases, so does the risk of a successful breach. Therefore, increased risk necessitates more controls.
Armed with the information developed from the risk assessment, you can now identify the best way to manage the risk.
Source: Nashville Business Journal – By Gina Pruitt