Best Practices for Conducting a Cyber Risk Assessment
Placed within the Identify function of the NIST Cybersecurity Framework is a category called Risk Assessment. According to NIST, the goal of a risk assessment is for an organization to understand “the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.” As set out by NIST, conducting a risk assessment typically includes the following six steps:
- Identify and Document Asset Vulnerabilities
- Identify and Document Internal and External Threats
- Acquire Threat and Vulnerability Information from External Sources
- Identify Potential Business Impacts and Likelihoods
- Determine Enterprise Risk by Reviewing Threats, Vulnerabilities, Likelihoods and Impacts
- Identify and Prioritize Risk Responses
In the security industry, we refer to these steps as being proactive (as opposed to being reactive, a euphemism for incident response). Best practices for conducting a risk assessment include, first and foremost, adequate preparation. But what does that require? In the world of risk assessments, preparation means setting out the ground rules, to include having a clear understanding of the assessment’s purpose and scope, assumptions and constraints, information sources, and whether a particular risk model or analytic approach is being used.
There are a number of options for conducting the assessment itself, all of which will have some combination of reviewing the threats against your assets (who/what can cause you harm), identifying vulnerabilities (how harm can occur), and consequences (what assets can be harmed, and to what degree). The most useful risk assessments are informed by strong knowledge of the actual tactics, techniques and procedures (TTPs) that already have been used to target your organization or industry and that are likely to emerge against it.
Most companies routinely conduct vulnerability assessments, taking advantage of a large number of tools (many of which are free) to scan their networks to determine what services are running and whether software versions are up-to-date, as well as to scan for known vulnerabilities. Other free tools allow administrators to run pre-defined exploits against their own systems, and conduct brute-force dictionary attacks against their own users.
Outside security firms typically are brought in to conduct compromise assessments to discover whether a corporate network already is breached. Independent penetration testing also is a valuable way to test your organization’s resilience and readiness. It’s one thing to have locks on your doors; it’s quite another to test whether somebody can get past them. The best penetration testers know and deploy the TTPs of your specific adversaries. Finally, realistic tabletop exercises will better inform your risk assessment by identify gaps in cybersecurity and incident response processes.
Once your risk assessment is complete, best practices include properly communicating the results to all stakeholders. Also, since security is an ongoing and evolving process, companies should maintain and improve the assessment over time consistent with their risk posture.
If you’re interested in taking a deeper dive into risk assessment guidelines, check out NIST’s Special Publication 800-30, available online for free. Or, should I say, risk-free?