Businesses take risks. It comes with the territory. But that doesn’t mean that an enterprise should push blindly forward, ignoring the potential threats to availability and ultimately its success. Risk assessment is essential to understanding the territory and blazing the trail ahead. And risk mitigation is the key to controlling those factors that endanger IT uptime. It all starts with a framework.
Before we get to the nuts and bolts, let’s try to understand what risk assessment is. The Business Dictionary defines risk assessment as “the identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk.” According to business continuity expert Harvey Betan, “An IT risk assessment is a document that reviews the possible threats your organization faces, natural and/or man-made.”
“An IT risk assessment is a document that reviews the possible threats your organization faces, natural and/or man-made.”
First, we see that a risk assessment, in professional terms, should be something in writing. It’s not enough to ponder the possibilities of “what if?” without getting a grip on how to address the challenges out there. Putting pen to paper (or fingers to keyboard), IT professionals should flesh out the risks in a way that can be fully understood. All stakeholders in the enterprise need to be aware of the risks so that a comprehensive risk management plan can be put into place.
Second, a risk assessment should include metrics that accurately quantify the threats. The best way to do that, as Becky Metivier writes for Sage Data Security, is to use some kind of ratings system. The potential impact of an event might be classified as high, medium, or low. The same treatment could be made for the likelihood of an event. By assigning a value to each classification, you can come up with a risk calculation score. The risk rating is usually calculated by multiplying the potential impact number by the likelihood number. Then the risk calculation results could be classified as severe, elevated, or normal.
Example: high potential impact high (100) * medium likelihood (0.5) = elevated risk (50)
Third, risk assessments are based on a thorough knowledge of the systems in place. As Metivier points out, “Characterizing the system will help you determine the viable threats.” What are the processes, functions, or applications currently in place? Who are the people involved? What kind of equipment is used? This is the time to play the game of “Twenty Questions”.
Fourth, a sound risk assessment strategy will include multiple levels of review. You may assign one person to develop and implement the assessment, but leaving all evaluation to him would be a mistake. IT personnel at all levels should have input. In fact, it may be helpful to use a team approach to the risk assessment. People from a cross-section of departments could participate in drafting and finalizing the document. And executive management approvals will be required.
Now with some general knowledge of the nature of risks assessments, you are ready to create a risk assessment framework to ensure maximum IT availability. And there a plenty of ways to do it.
You are perfectly free to determine your own methods for assessing risk. Nothing is stopping you from creating your own comprehensive system of risk analysis in-house. In fact, it may be advisable since you know your IT infrastructure better than anybody. But there are mature risk assessment frameworks out there that you can apply to your own situation.
“A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.”
According to TechTarget, “A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.” The TechTarget definition lists three industry standards for risk assessment frameworks: NIST, OCTAVE, and COBIT.
The steps involved in the NIST Risk Management Framework (RMF) include: 1) categorize; 2) select; 3) implement; 4) assess; 5) authorize; and 6) monitor. The program’s website says that it involves the “management of organizational risk”. It is a process that considers inputs from a variety of sources within the organization. The NIST RMF is used in U.S. government and defense organizations with a full-fledged certification process.
OCTAVE is a product of the Software Engineering Institute of Carnegie Mellon University. OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation. As explained by the University of Kansas IT department, the OCTAVE method of security assessment includes three phases:
COBIT (Control Objectives for Information and Related Technologies) is a risk assessment framework created in 1996 by ISACA (formerly known as the Information Systems Audit and Control Association). The COBIT website describes the COBIT 5 framework as “a leading-edge business optimization and growth roadmap that leverages proven practices, global thought leadership and ground-breaking tools to inspire IT innovation and fuel business success”. COBIT 5 covers the following areas:
ISO 27001 is an information security standard that provides guidance and certification for businesses and IT organizations. It is named Information technology — Security techniques — Information security management systems — Requirements. According to Advisera, “ISO 27001 has become the most popular information security standard worldwide.” They say that it can be implemented “in any kind of organization, profit or non-profit, private or state-owned, small or large”.
Another key standard is ISO 31000. The standard is entitled Risk management – Principles and guidelines. Other related standards include ISO Guide 73:2009, Risk management – Vocabulary and IEC 31010:2009, Risk management – Risk assessment techniques.
Government compliance is another consideration when assessing IT risks. You must do more than satisfy the requirements of your own organization. There are regulations that require compliance. The website for Jurinnov LLC provides information in an article called “Information Security Compliance: Which regulations relate to me?” The list includes:
Legally, you have no choice but to comply. Whatever IT risk assessment method you choose has to take into account any relevant government requirements.
So what should a risk assessment look like? The list of items to consider in the assessment could be quite long. Where should you start?
Let’s take one example. The company Compass Security has developed their own Lean Risk Assessment. It is based on the OCTAVE Allegro method, which consists of eight steps in four phases. The phases are:
The scope of the assessment is pretty straightforward. First, you need to clarify why you are doing the risk assessment. What is driving you to do all this work? Recent downtime? Government compliance? ISO certification? Next, take an inventory of your assets, including software and hardware. Data protection and integrity are critical issues. Then you will need to identify the risks and find ways to deal with them.
Any IT risk assessment will work along these lines. It’s a matter of finding out what is currently in your IT infrastructure and looking for vulnerabilities.
Risk assessments are part of the larger discipline of risk management. The document NIST 800-30 Rev 1, Guide for Conducting Risk Assessments, provides a quote from the Office of the Chairman, Joint Chiefs of Staff, U.S. Department of Defense:
“… Through the process of risk management, leaders must consider risk to U.S. interests from adversaries using cyberspace to their advantage and from our own efforts to employ the global nature of cyberspace to achieve objectives in military, intelligence, and business operations…”
The document identifies risk assessment as part of risk management methodology which includes:
Of course, risk assessment would be nothing if were not coupled with efforts to correct problems. Risk management is an ongoing process that requires continuous vigilance and regular updates. You wouldn’t want your antivirus definitions to become out-of-date, for example. Risk management is about keeping up your defenses.
The IT security landscape is continually evolving. What may not have been even thought of a few years ago could be a very serious threat now. The bad guys keep finding new ways to break into systems and wreak havoc on infrastructure.
A robust risk assessment can prevent damage to your network ultimately leading to downtime. As you conduct penetration tests and analyze your own systems for vulnerabilities, you are taking proactive steps to keep hackers from breaching your perimeter. The list of things an unwanted intruder can do range from mischievous to criminal.
Doing nothing is not an option. You would not leave your doors unlocked at night, and you would not leave your family unprotected. Without assessing your cybersecurity status, you could be paving the way for the downfall of your systems and an unplanned outage, or worse yet, the loss of your data. The threats to infrastructure require a constant state of alertness.
What are the chances that someone could access your most critical IT assets? What would be the potential impact if that happens? These possibilities should be addressed systematically and calculated precisely. An IT security risk assessment can provide the information you need to buttress your systems and protect your network. The resulting formalized policies and procedures can keep your IT services online and running despite the onslaught of security attacks. In today’s world of cyber threats, you can never be too careful.