Security Risk Assessments: What You Should Know

Annual Security Risk Assessments Tell You Everything You Need to Know to Protect Your Business

Security risk assessments are now required by all federal and state regulations that include provisions for security safeguards as well as by all major cybersecurity frameworks and accepted cybersecurity standards. If your organization is governed by any of these regulations, frameworks, or standards, you should be no stranger to security risk assessments. The question is, what don’t you know?

Facts about Assessment Frequency

One of the keys to an effective security risk assessment is frequency. Frequency requirements have tightened up and become almost universal in recent years as regulations, frameworks, and standards increasingly borrow from each other. This is a good thing, since it brings greater uniformity to the requirements across industries and even countries. The global NIST Risk Management Framework is one of many examples.

• In most cases, risk assessments are required annually. This frequency offers the best opportunity to keep pace with new security tools and practices and with the periodic updates to regulations, frameworks, and standards that address the latest threats.
• Many required risk assessments call for quarterly vulnerability assessments and penetration tests, since these tools reveal weaknesses in security defenses that are best addressed sooner rather than later.
• In a few cases, risk assessments may be permitted every two or even three years, unless your organization has experienced a recent data breach or other security incident.
• In addition, a new security risk assessment is usually required when significant changes have just occurred in your organization, such as a new system or equipment installation, key personnel change, or merger or acquisition.

Purpose of Security Risk Assessments

Understanding your current cybersecurity posture is a vital step in strengthening that posture and resolving security weaknesses. The surest way to acquire this understanding is to conduct a thorough security risk assessment.

Our continuous global internet connectivity comes at a price. Intellectual property, financial data, and other business assets can be accidentally exposed to unauthorized parties, or can be leaked maliciously by an employee or third party supplier. Having your data in the wrong hands poses a significant and unnecessary risk.

• Do you know if your data is safe from both external and internal threats?
• Do you know if your IP, payroll and personnel data, financial information, and strategic plans are secure?
• Are you certain your organization is in full compliance with regulatory requirements and best security practices in every department where they apply?
• Do you know what you don’t know?

A security risk assessment identifies your organization's IT assets, the risks associated with those assets, the mechanisms you have in place to manage those risks, and how those mechanisms are documented and monitored.

Your annual security risk assessment paints a complete picture of overall risks along with recommendations for addressing them. It provides an actionable, 360-degree view of the state of security in your organization—revealing things you didn’t know and helping in ways that might surprise you.

Essential Steps of Security Risk Assessments

Security risk assessments consist of the following activities. Many can be conducted onsite while others may be completed remotely.

1. Identify and agree on the scope of the risk assessment or compliance audit, and plan and organize the assessment accordingly.
2. Collect all relevant data, including policies and procedures, network maps, equipment inventories, and other materials, and identify your organization’s most important assets.
3. Using penetration testing, system scans, and related tools and techniques, identify vulnerabilities and potential threats to your organization, including cyberattacks, physical breaches, insider threats, and weaknesses in systems, networks, applications, and physical security that could be exploited.
4. Document the threats and vulnerabilities revealed by each method.
5. Determine the likelihood of threat occurrence, by individual threat, and identify the potential consequences of each threat occurring.
6. Determine the level of each risk based on its gravity and potential impact, and prioritize risks accordingly so that you can focus on critical areas first. In some cases, A Teams can be assigned to address the most critical gaps, while B Teams can be designated to remediate less serious vulnerabilities.
7. Finalize documentation including detailed reports, backup materials, remediation recommendations, and executive summary.
8. Present findings and recommendations in an online or in-person meeting on request.

How Your Annual Security Risk Assessments Help You 

Annual security risk assessments are not just a matter of checking boxes and going through remedial motions. They are vital security tools that enable organizations to clearly understand the risks they face and the importance of resolving them. Assessments assist organizations in a variety of ways. As a few examples:

Compliance. You will learn where you stand with respect to the regulatory requirements that apply to your industry and business, as well as applicable cybersecurity frameworks and accepted cybersecurity standards. Complying with regulations is not optional, and not being aware of updates to regulations is not an excuse for non-compliance. If you engage a professional firm to conduct your assessments, you can generally count on them to know the latest versions and to be certified to assess against those updated requirements.

Corrective Action. Your assessment doesn’t stop at identifying security gaps and exploitable vulnerabilities. It goes beyond that to provide actionable resolutions enabling you to implement security controls, tools, and procedures to either remove or reduce your security risks. By effectively remediating the identified risks, you take giant steps toward reducing the likelihood of your organization suffering a successful phishing exploit, ransom extortion, or other data breach. In doing so, you revitalize your cybersecurity program and strengthen your security posture.

Cost Effectiveness. As you continue to perform annual security risk assessments, you will usually find fewer vulnerabilities each year due to the strong cumulative effect of remediation activities. This can reduce your assessment costs over time in addition to helping you avoid damaging security incidents that drain internal resources and distract from your primary business focus.

Continuity. Most organizations have developed plans to resume business operations in the event of disasters, including security incidents. Your annual assessment supports your business continuity plan by enabling you to identify problems that could disable operations and to address them before they can do so.

Cognizance. Another benefit you’ll derive from your annual security risk assessments is heightened awareness among employees of what constitutes a security risk, what actions they must take to reduce those risks, and why employee engagement is crucial. They should be able to define phishing, hacking, ransomware, and other common threats. Virtually every regulation that contains security provisos requires employee training on a regular basis, in most cases at least annually.

Special Types of Risk Assessments

Three types of assessments are available to address an organization’s specific needs. All of them follow the essential steps outlined above.

Baseline Security Review. This creates a foundation for all subsequent reviews, evaluating your organization’s security environment internally and externally at a given point in time. This review is appropriate if you haven’t conducted a risk assessment in several years. It also enables you to set a regular schedule for security risk assessments going forward.

Vendor Review. Supply chain security has made headlines in recent years due to the domino effect, when the breach of a supplier leads directly to the breach of the organization as well. As a result, most security rules now require holistic security assessments that include third parties who create, manage, transmit, process, store, or destroy data and information on your behalf.

Security Architecture Review. Elements of your organization’s security architecture range from networks and information systems, firewalls and servers, to end-user devices such as desktops and laptops, to security software and applications. Because security technology advances steadily, it’s a best practice to conduct periodic reviews of the security and vulnerability of this vital architecture.

Summary

Security risk assessments are now required by all federal and state regulations that include provisions for security safeguards as well as by all major cybersecurity frameworks and accepted cybersecurity standards. In most cases, risk assessments are required annually. Assessments identify your organization's information assets; the security gaps, vulnerabilities, and risks associated with those assets; the mechanisms you have in place to manage those risks; and how those mechanisms are documented and monitored. Assessments adhere to specific essential steps in order to be thorough and consistent. In addition to annual security risk assessments, several special reviews can address specific needs.

Annual security risk assessments deliver actionable information as well as substantial assistance in the areas of compliance, corrective action, cost effectiveness, business continuity, and employee cognizance. For best results, engage a professional firm specializing in cybersecurity and compliance whose staff are highly credentialed and have conducted hundreds of risk assessments. Build your assessment schedule into company calendars and budgets. And confirm the date of your last assessment in order to schedule the next.