Assessing risk: Measuring the health of your infosec environment

There is an uncomfortable truth that many organizations are not conducting comprehensive assessments of their information security risk; or those that do aren’t getting much value out of assessment exercises — because they simply don’t know how.

Given the massive amounts of data organizations hold, accurately assessing these risks is difficult. So is determining how to best control them once they are identified. That’s especially needed for businesses in highly regulated industries that can face stiff penalties for security violations.

Most organizations are subject to some regulation, whether over-arching directives like PCI for credit card data, GDPR for personal data about European citizens or the pending CCPA for personal data about California residents; while certain industries may have unique regulations like HIPAA for health care or GLBA for financial services.

Many of these specifically require an organization to perform risk assessments on a periodic basis. But by and large those assessments are done as a tick-the-box compliance exercise focused on the regulated data only. That falls far short of assessing risks to the many other kinds of data organizations hold, and highlights the need to examine information security risks more broadly.

Commonly available frameworks from standards organizations like NIST, ISO and CIS can help an information security team take that broader look. These frameworks provide an excellent starting point for identifying the state of an information security environment’s maturity and the risks that may exist in its current data management processes.

Regardless of the framework you choose, the first step is always to identify the scope of your assessment effort. Start by establishing the context for why you’re undertaking the assessment. Think in terms of Data, People, Process and Technology.

• For Data, what information do you have that you’re trying to protect? The scope can be as broad including all of your “crown jewels”, or as limited as only credit card information.
• For People, who are the users of the data? Who should/not have access? Who are we sharing data with? Who should be responsible for safeguarding it?
• Process is essential, as governance would set the tone at the top. How mature are your processes? Do you have documented SOPs? Do you outsource some IT processes? If so, do they have proper documented policies and procedures? Are your Information Security Policies up to date and relevant?
• Technology includes characterizing all of the systems to be included. That can be a huge task in and of itself, given the number of data-centric systems in play. What applications are receiving, transmitting, storing or using the data in the scope of the assessment?

Don’t limit this exercise to inputs. Rather, think about the “lifecycle” of each data element. For example, if you collect a credit card number, follow it through collection, transfer, users of the data element, how is it shared, where is it stored and where and how it is disposed; note all applications involved in each step. Then note supporting infrastructure for each application, such as the underlying operating system and hardware, including its location (datacenter, Platform as a Service, under a person’s desk…), network infrastructure, public access, and if it is cloud-based. Because each application may be allocated to different networks or locations, the impact of each threat will vary depending on these factors.

Once your framework is established, get clear on scope – what you want out of the risk assessment? Just to tick the box? Something more? You will gather a significant amount of information through this process, so be as direct and truthful about your goals as possible, because this is going to drive change in your organization.

That underscores the need for information security teams to stay current on mapping organizational data, including what lines of business may share with shadow IT providers, data at rest, and data in motion. Without this insight, your risk assessment will not be meaningful. Done correctly, it will help articulate how current security initiatives are mapped to applicable threats and vulnerabilities.

The next step is to identify threats to which your systems are subject, such as fraud, brute force attacks, phishing, or even physical theft. Keeping a relevant inventory of threats requires significant effort; it’s important to not only identify the relevant threats to your organization and risk appetite, but also to keep reviewing your list as new threats may be created, threats may change, or some may no longer be applicable.

Determining the degree of risk each of those threats pose is where many organizations start to struggle. Degree can be subjective, so the challenge is minimizing any bias and then using the business to identify remediation activities. A good approach is to score each risk based on impact. Think through how to determine what a threat impact will look like to your organization. You could also separate the risk of the threat into confidentiality, availability and integrity impacts. That way you can further reduce the subjective nature of the exercise.

Also consider likelihood – what’s the probability of a threat actually affecting your organization? For example, if your data is located in Florida, the likelihood of a natural disaster (i.e., hurricane) is very high compared to other locations. A web-based code injection attack to a web application that is not public in the internet is much lower than if the web application is on the internet.

This thorough examination of your assessment scope, potential threats, possible impacts and likelihood of occurrence will yield a list of risks with different ratings. That very useful data will arm information security teams for approaching leadership with an objective view of the organization’s threat footprint, and make the case for why and where investment is needed. The assessment effort will also help information security groups demonstrate their value to their organizations, and fulfill their mission of truly securing data, the crown jewels of the modern enterprise.