A Security Risk Assessment identifies and assesses key security controls in your security program, an application, or in life. Think of it this way, when operating your automobile and you decide to turn left with oncoming traffic flowing, you are making decisions based on numbers and when you can safely make that turn without being struck by another vehicle. A Security Risk Assessment is the same thing, but more technical in nature and a fair amount of higher math is involved.
At MainNerve, we use the NIST SP 800-30 Guide For Conducting Risk Assessments and NIST SP 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule as guidance in implementing our security risk assessments.
In simpler terms, a risk analyst will go over a company’s policies and procedures. They will also determine if there is a security awareness training program and are certain safeguards in place such as encryption and log monitoring. Once MainNerve can identify the safeguards or lack of, the risk analyst can then decide on how likely a security event may occur and what the impact of a security event is based on a single finding. Finally, a risk rating can be calculated.
For example, let’s say an organization doesn’t have a data backup plan in place. Believe it or not, this is common and can be an issue if the data you are attempting to protect becomes compromised. Such an event might be ransomware taking over your network and locking you out of all your systems. Then a hacker will demand ransom to return your keys back to your company to access your network or applications. Never get into a situation with losing your data and paying money to get it back. Most hackers will not release your data even if you have paid to have it restored. If you are lucky, and they release your data, most set up a backdoor to come back later and repeat. If you have data backups based on a plan, you wouldn’t have to worry about it.
You might be asking how that equates to risk? The likelihood of such an event happening is becoming more common every day. Companies are being hit with ransomware daily. So, a risk analyst would say the likelihood is high. Additionally, if it were to happen, the impact could be severely detrimental to a company. You could have to close your offices for a week or two while you get things back up and running. This means the impact would be high, as well. For that one finding or situation, your risk rating would be high.
However, the overall risk rating considers many situations as described above. It may be possible to have a few high-risk findings and many low-risk findings. This is where a company should have policies and procedures in place to ensure regular training of your employees to not click on hyperlinks in emails that lead to ransomware and monitoring events for suspicious activity. Then your overall risk rating would be considered low as your team has a plan of action in place. However, you would still want to address the high-risk findings to ensure you are doing everything you can to protect that precious information.
All in all, it’s better to know where your risk falls than to stick your head in the sand. As they say, knowing is half the battle. Once you know where your potential risks are, you can work on addressing each one. A report from a third-party such as MainNerve, can help provide information to the decision makers when it comes to implementing new security measures.