Threats to our information privacy, details and data are growing in intensity and sophistication on a daily basis. With this threat, organisations are beginning to gain awareness of these threats to information security, but provide limited budgets. Organisations must be specific on where they utilise their resources; financial, time and persons. You need to identify, analyse and prioritise the risks inherent in information systems, based on the likelihood of the event and the level of impact on the business. Also to content on the financial impact incurred by this risk and to remedy the events afterwards.
This process is performing an IT Risk assessment.
Developing your IT security strategy – IT Risk Assessment
Risk assessment involves the understanding of the internal and external risk environments, the organisation’s approach and appetite to security. Risk management is part of the risk assessment, provision of control over the wider operational, business and IT risks of an organisation. Both are essential components of a strong IT environment.
IT Risk assessment assists categorisation of events that can affect your business in a negative way. Gaps in security layers and provide information to take action and make smarter proactive decisions. For instance, by revealing a chaotically organised user accounts or data access/control. The risk assessment procedure helps you take the proper risk management steps to minimise the risk of privilege abuse or data breach before it’s too late.
IT Risk Assessment is required for organisations in a regulatory environment.
The use of a risk assessment for some organisations (regulatory environments) is mandatory for compliance or audit regulations. Information security risk assessment is one of the top requirements of compliance, for financial institutions. Various government law’s, Central Bank oversight and GDPR require risk assessments including Information Technology. Information Technology is a must do requirement, otherwise there is the potential of non-compliance, audits and potential fine’s.
Regulations do not provide specific instructions on how to manage and control the IT systems, they require
- A structured approach to the management of IT.
- Provision to the audit function with evidence of a structured control, management and audit are in situ and to reduce data security risks,
IT Security Framework to make it easier to manage the risk assessment.
An IT security risk assessment framework is a set of rules that define;
- Systems that have to be assessed
- Persons and teams involved in the risk assessment process
- Identification of potential threats to the organisation, and or the means to define risk categories
- How to identify these risks, analyse and prioritise
- Potential Impact & Likelihood of these risks
- Reports produced to document the results of the assessment
Organisations will have different rules and procedures depending on the size, data types, goals and complexity of the business, size of the IT dept, existing security controls, industry and resources available.
There is no need to create your own IT Security Framework, we use NIST, National Institute Standards and Technology, SP 800-30 as our security framework. There are other frameworks available.
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) designed by Carnegie Melon University
- ISO/IEC 27001:2013
- NIST, National Institute Standards and Technology, SP 800-30
Note that all of these standards require organisations to document their information security risk assessment processes so they can provide evidence that all required data security procedures are being diligently followed.
IT Risk Assessment
IT Security assessment is an ongoing process never ending. Think of painting the Golden Gate Bridge in San Francisco. When you get to one end you start back in the loop to paint the bridge, similar with IT. You develop a risk assessment time frame, 6 months, yearly or other time frame. It is not a one shot process, but a continuous ongoing process that provides permanent and definite information for the management team to educate and collate their response to manage the risk requirements. Information Technology and the general business environment are in constant flux so the risk assessment need to occur on an ongoing basis.
We perform a monthly review of the risk register to review current identified risk and identify potential new risks for the organisations. This gives us the opportunity to monitor for gaps in the security layers, procedures, accounts, data, passwords that may expose data or systems in organisations.
IT Risk Assessment
The process of risk assessment can be divided into multiple stages
- Risk identification.
Determine the vulnerabilities in information systems, broader IT environment and its relationship to business operations.
- Risk estimate
Assess the likelihood that an event will occur by analysing the probability of a threat occurring.
- Risk priority/impact
Ranking the risks based on the risk estimate combined with the level of impact if the risk event occurs.
- Financial Impact
Prioritise the risks according to the financial impact, both in the effect to the business and the cost to remedy after the potential impact.
IT risk assessment is critical to data protection and business continuity, and it has to be carried out periodically in order to detect new risks and improve security strategies. If your risk assessment is out of date, so are your strategies — it’s as simple as that.