Conducting a risk assessment is no frivolous task and encompasses your organization, business mission functions, and Information Technology. There are many frameworks for conducting Risk Assessments; NIST SP 800-30 rev 1 is what we use for assessing risk in organizations. A Risk Assessment is a process for identifying and quantifying risk. As you learned in our previous article, Are you Adequately Managing your Cybersecurity Risks?, there are three tiers to risk management. For this article series, we’ll look at Tier 3, Information Systems, risks.
The risk assessment methodology from NIST can be daunting, but once you understand the assessment methodology the risks are identifiable and a manageable.
We’ll use our example of a hacker who compromises our website to define the risk using the NIST framework. In our case, we have a weak security control. Other risks may use a vulnerability or predisposing condition. To learn more about how these fit into the assessment see NIST SP 800-30r1. Risks without vulnerabilities, predisposing conditions, or weak security controls, would have a limited likelihood and would be prioritized at the bottom of your risk assessment list.
Additional risks could be identified as external non-malicious threats like fire or flooding which would cause you to enact your Continuity Of Operations Plan (COOP) with a loss of productivity. The key here is to identify all of your threats including those that could be accidental misuse of your Information System as well as intentional misuse of your system. Identifying all of your threat sources requires some level of ingenuity and creativity; for instance, when identifying new sources of terrorism threats the Pentagon and the Department of Homeland Security engaged Hollywood authors to devise scenarios that hadn’t been considered in the past.
While your Security Team or IT Team will be most concerned with your vulnerability analysis and taking discrete technological actions to mitigate risks, your executives will be looking for more digestible information. Your Risk Assessment Report should be easy to understand and have costs associated with each consequence and mitigation. This communication informs the executives of risks to operations and the costs associated with reducing those risks and gaining resources to mitigate those risks.