What is a Security Risk Assessment?
A Security Risk Assessment identifies and assesses key security controls in your security program, an application, or life. Think of it this way, when operating your automobile and you decide to turn left with oncoming traffic flowing, you are making decisions based on numbers and when you can safely make that turn without being struck by another vehicle. A Security Risk Assessment is the same thing but more technical in nature, and a fair amount of higher math is involved.
At MainNerve, we use the NIST SP 800-30 Guide For Conducting Risk Assessments and NIST SP 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in implementing our security risk assessments.
How it Works
In simpler terms, a risk analyst will go over a company’s policies and procedures. They will also determine if there is a security awareness training program and certain safeguards are in place, such as encryption and log monitoring. Once MainNerve can identify the safeguards or lack thereof, the risk analyst can then decide how likely a security event may occur and what the impact of a security event is based on a single finding. Finally, a risk rating can be calculated.
For example, let’s say an organization doesn’t have a data backup plan in place. Believe it or not, this is common and can be an issue if the data you are attempting to protect becomes compromised. Such an event might be ransomware taking over your network and locking you out of all your systems. Then a hacker will demand ransom to return your keys to your company to access your network or applications. Never get into a situation with losing your data and paying money to get it back. Most hackers will not release your data even if you have paid to have it restored. If you are lucky, and they release your data, most set up a backdoor to come back later and repeat. If you have data backups based on a plan, you wouldn’t have to worry about it.
How it Equates to Risk?
You might be asking how that equates to risk? The likelihood of such an event happening is becoming more common every day. Companies are being hit with ransomware daily. So, a risk analyst would say the likelihood is high. Additionally, if it were to happen, the impact could be severely detrimental to a company. You could have to close your offices for a week or two while you get things back up and running. This means the impact would be high, as well. For that one finding or situation, your risk rating would be high.
However, the overall risk rating considers many situations as described above. It may be possible to have a few high-risk findings and many low-risk findings. This is where a company should have policies and procedures to ensure regular training of your employees to not click on hyperlinks in emails that lead to ransomware and monitoring events for suspicious activity. Then your overall risk rating would be considered low as your team has a plan of action in place. However, you would still want to address the high-risk findings to ensure you are doing everything you can to protect that precious information.
All in all, it’s better to know where your risk falls than to stick your head in the sand. As they say, knowing is half the battle. Once you know where your potential risks are, you can work on addressing each one. A report from a third party such as MainNerve, can help provide information to the decision-makers regarding implementing new security measures.