Skip to main content

 

Risk Management: Creating a Risk Assessment Workflow

Risk management is critical to cybersecurity, but many organizations struggle with identifying the appropriate initial steps, understanding their options, and achieving long-term success in this area. In this article, I will provide practical recommendations for strengthening your organizations workflow, as well as referencing relevant industry frameworks and guidelines for creating a comprehensive cybersecurity risk management plan.

Overview

Information security risk management involves evaluating vulnerabilities, threat sources, and existing security controls in order to determine the level of risk to information, systems, processes, and individuals supporting business functions. Risk management activities can take various forms, including formal risk assessment, audits, security reviews, configuration analysis, and vulnerability scanning and testing, all of which aim to identify and address risk in order to improve overall security. While it is not possible to completely eliminate risk, steps can be taken to manage it. In accordance with the Information Security Policy, all systems and processes supporting business functions must be properly managed for risk and undergo risk assessments as part of their lifecycle.

Managing risk:

  1. Develop a strategy for conducting a risk assessment that considers various factors such as assumptions, constraints, priorities, dependencies, trade-offs, and resources that will be used.

Creating a workflow:

Leaders should understand that each workflow should be customized to the needs of the organization it is designed for. However, the example workflow above illustrates the key steps that should be included in an effective workflow.

Project Management Plan

The project management plan outlines the goals, objectives, roles and responsibilities, ownership, limitations, timeline, deliverables, data handling procedures, and maintenance of the assessment.

Identify the area that needs assessment

As Chief Information Security Manager, I understand that conducting a risk assessment can be a time-consuming process. It is important to consider the availability of resources and prioritize the areas that need assessment in order to be effective. To successfully conduct a risk assessment, leaders should identify the purpose, scope, assumptions, constraints, threat sources, vulnerabilities, impact, the assessment approach, and the analysis approach to be used.

Gathering Data

Effective metrics are essential for convincing leadership to allocate resources for a project, and risk assessments are no exception. In order to gather relevant data for creating metrics, it is important to consider the various data gathering methods available. This may include gathering documents such as insurance claims, vulnerability scans, and cost analysis, as well as collecting network data through logs and traffic analysis, conducting a penetration test, engaging an outside vendor for a security audit, or using surveys to gather information.

Determine Current Controls

Understanding the current controls in place that reduce risk can help determine the severity of vulnerabilities. A section of the risk assessment should be dedicated to identifying these controls, which may include operational controls (human-driven processes, procedures, and trainings that aid in secure management of technology), technical controls (software or hardware solutions), or physical controls (measures to prevent or alert access to physical assets).

Risk Measurement

Determining how to measure risk can be a challenging task. The approach that an organization takes — whether quantitative, semi-quantitative, or qualitative — will often be determined by executive leadership and may depend on the culture and personality of the organization. However, the elements being measured — risk appetite, capacity, and tolerance — should remain consistent. To understand these measures, it is helpful to use a risk model that identifies threat sources, threat events, and vulnerabilities, and assesses the likelihood and potential impact of these events.

Evaluate the Risk

If current controls are not sufficient to manage risk, we will need to evaluate the risk further. This may involve considering whether we can avoid the risk altogether, manage the risk through additional controls, transfer the risk through insurance or other means, or accept the risk as a necessary part of doing business.

Provide possible solutions

It is important to provide multiple options when evaluating risk. This allows for more thorough discussion and decision-making, and helps to ensure that we have considered the potential costs and benefits of each option. I recommend presenting at least 3–5 potential solutions based on the risk evaluation. Having more options allows for more flexibility and can help to ensure that we have a well-rounded understanding of the potential risks and benefits associated with each option.

Results

It is important to present the findings of a risk assessment in a clear and concise manner. A comprehensive executive summary should be prepared for leadership, highlighting the key findings and recommendations from the assessment. Additionally, a technical document should be created that includes all of the details and supporting information from the assessment. This document can be used for reference and to ensure that the controls put in place are sufficient in mitigating the identified risks. It is important to include relevant metrics and data to support the recommendations made in the report.

REFERENCE:
_______________________________________________________________

National Institute of Standards and Technology (NIST) Special Publications (SP): NIST SP 800–53a — Risk Assessment (RA), NIST SP 800–12, NIST SP 800–30, NIST SP 800–39, NIST SP 800–40, NIST SP 800–60, NIST SP 800–70, NIST SP 800–100, NIST SP 800–115; NIST Federal Information Processing Standards (FIPS) 199

Comments

Post a Comment

Popular posts from this blog

  Python Script to search for YouTube Data trends R. Eric Kiser As a subject matter expert, I wanted to gain insight into the topics that my readers and students are interested in. Given the increasing popularity of video platforms such as YouTube, I decided to use a Python script to pull data from Google Trends on a specific topic of interest, “hacking.” This script allows me to understand the current trends and popular search queries in the field, and tailor my content to align with the needs and interests of my audience. Below is the simple script that I created. I tend to do more with the project but that is for another day. import requests from pytrends.request import TrendReq # create a new instance of the pytrends class pytrend = TrendReq() # prompt for keyword keyword = input ( "Enter a keyword to search for data trends: " ) # set the parameters for the trend search kw_list = [keyword] timeframe = "today 1-m" # get the trends pytrend.build_payloa...
Post a Comment
Read more
  Cyber Incident Response Workflow Diagraming Tools R. Eric Kiser There are several diagram drawing tools available on the market today that can be explored. Two very common drawing tools, Microsoft Visio and Draw.io tend to dominate the arena. Draw.io is a free, web-based diagramming software that allows users to create a variety of diagrams, including flowcharts, mind maps, network diagrams, and more. It is web application or as a standalone desktop application for multiple operating systems. Draw.io provides a range of templates and shapes to help users create professional-looking diagrams quickly and easily. It also has a range of collaboration features, including the ability to share diagrams and work on them with others in real-time. Draw.io supports a number of file formats, including .png, .svg, .pdf, and .xml, and can be integrated with other applications through its API. Microsoft Visio is very similar to Draw.io but is the proprietary and a part of the Micr...
Post a Comment
Read more
  Vulnerability Identification Techniques R. Eric Kiser Vulnerability detection can often be automated through the use of tools such as vulnerability scanners. While these tools can be useful, it is important for organizations not to rely solely on automated techniques and to also incorporate more comprehensive methods in their vulnerability detection efforts. Failing to do so could result in the organization missing vulnerabilities that could potentially lead to data breaches. There are a number of methods that can be employed to identify vulnerabilities in target systems Penetration Tests A penetration test, also known as a pen test, is a simulated cyber attack on a computer system, network, or web application to test its defenses and identify vulnerabilities that an attacker could exploit. This is much more than just a scan as the pen tester intends to find a method of getting foothold on your internal network or sensitive data by acting as a real attacker would. T...
Post a Comment
Read more