Best Practices for Information Security Risk AssessmentsBest Practices for Information Security Risk Assessments
Effective security risk assessments enable organizations to make informed business decisions and move away from a reactive, whack-a-mole approach to cybersecurity.
March 23, 2020
Sponsored by AT&T Cybersecurity
In an age when businesses are relying more than ever on the rapid advancements in technology to drive innovation, strategy, growth and competitive advantage, it is clear the prevalence of technology is not slowing down. But the increase in new devices and systems that utilize connectivity, as well as the transition to the network of devices and systems that were traditionally air-gapped, brings with it an increased cybersecurity risk.
Organizations large and small are attempting to defend against a constant barrage of potentially damaging cybersecurity attacks and struggling to keep up. Increasingly, they are finding that the best approach is taking a proactive, risk-based approach. By repeatedly conducting risk assessments, a holistic understanding of the organization’s risk landscape can be developed. Gaps that exist among people, processes and technology can be utilized to develop a prioritized roadmap for managing and tracking risk over time. The organizations gain the ability to make informed business decisions and move away from a reactive, whack-a-mole approach to cybersecurity.
Policies and Procedures Are the Foundation
Strong cybersecurity policies and procedures are the foundation of a robust security program. A risk assessor can glean a significant amount of insight into the maturity of an organization’s cybersecurity program simply by looking at a few key cybersecurity policies and procedures. This allows the assessor to gain valuable insight on the culture of cybersecurity within the organization, the reporting structure within the organization and the types of technologies present within the organization. It also ultimately allows the assessor to drive discovery of information efficiently. This quick and efficient information discovery is especially important for external assessors or those who don’t already have an intimate understanding of the organization.
Documentation Is Not Implementation
Having a strong cybersecurity posture on paper does not mean much if it is not implemented. It’s why conducting interviews of personnel is so important in a risk assessment and why the phrase “Trust but verify” is often half-facetiously repeated by cybersecurity professionals.
When seeking to verify through conducting interviews, it’s tempting to simply go down a list of specific and tailored questions, likely from a framework or compliance standard.
Questions like “Does your organization implement a cybersecurity training and awareness training program?” are to the point, brief and elicit information the assessment framework is looking to find, but they are not the best way to conduct interviews. Risk assessments are not audits, and getting a yes/no answer to a question is not nearly as valuable as taking the time to develop a comprehensive understanding. By having a guided cybersecurity conversation and not simply going through a list of questions, an assessor is able to glean more information on an organization’s risk and develop more valuable findings and recommendations.
Start Broad and Go Narrow
When conducting interviews, start at a 10,000 -foot level of the topic being discussed, then use the framework as a general guide to steer the conversation and narrow down to specifics. Risk assessors should first ask open-ended questions that allow the interviewee a chance to explain the topic in-depth. This allows for a less restrictive and narrow-minded conversation, and provides a view into how the topic at hand fits into the entire business.
When interviews reveal that documentation does not match implementation, it is valuable to ask why. The well-known 5Y method states that in order to get to the root of an issue and not just deal with the symptoms, “Why?” should be asked approximately five times. By employing this mindset, the assessor often reveals the most useful insights to an organization.
In the example interview below, the symptoms of the issue include production downtime, lack of consistent testing and not enough headcount. The identified root issue is that there is not a documented method for conducting tests and a lack of adequate training in tasks. By asking “why” repeatedly, the assessor is able to change from a weaker recommendation regarding additional testing to a stronger one that identifies how to promote efficient testing with identified limited resources.
Original Recommendation: Additional testing should be performed before implementing changes in a production environment.
Recommendation After 5Y: Develop written testing procedures and include training of junior engineers in the principal engineer’s job responsibilities to encourage thorough and consistent testing before implementation of changes in a production environment.
Don’t Just Write, Communicate
Assessors are only as good as their reports. Written communication is key to a successful risk assessment, and it is important to know the audience of the assessment or sections of the assessment. For example, an executive summary should be written in a very different manner than a section meant for an information systems principal.
It is important to be as precise as possible, stating only findings and recommendations that can be proven as true, and avoiding inferred findings or recommendations. At the end of the day, putting all of the gathered findings and recommendations together in a clear manner will give the organization a valuable tool for making informed risk decisions in the future.
Kyle Chrzanowski is currently in AT&T Cybersecurity on the Cybersecurity Consulting team. In his role, Kyle works as a delivery consultant and has been immersed into various aspects of cybersecurity consulting, including marketing, sales training collateral, and governance, risk, compliance services. With additional experience in network engineering and cybersecurity marketing, he is viewed as a driven individual who aims to approach problems from a unique perspective and create innovative solutions with impactful and lasting change that help drive client growth. Kyle earned his Bachelor of Science from Georgia Institute of Technology and holds an Associate of (ISC)2 certification. Kyle started with AT&T in 2017 as part of the Cybersecurity Development Program (CDP) and plans to graduate in June 2020.
This guest blog is part of a Channel Futures sponsorship.
Read more about:MSPs
About the Author(s)
You May Also Like
AWS re:Invent Partner, Vendor News: Cisco, Salesforce, MoreDec 01, 2023
People on the Move: Comcast, Cisco, NICE, TPx, Barracuda, MoreNov 29, 2023
AWS re:Invent 2023 Partner News: Marketplace, Salesforce, Certs, MoreNov 29, 2023
AWS re:Invent Expo: VMware, Snyk, HPE, More Showcase Cloud, Security, AINov 28, 2023