Risk Assessment Best Practices
When you’re conducting a risk assessment, it is important to define what the goals and objectives are for the risk assessment and what that organization would like to accomplish by conducting one.
Risk and vulnerability assessments provide the necessary information about an organization’s IT infrastructure and its asset’s current level of security. This level of security allows the assessor to provide recommendations for increasing or enhancing that IT asset’s level of security based on the identified and known vulnerabilities that are inherent in the IT infrastructure and its assets.
There are many best practices or approaches to consider when conducting a risk and vulnerability assessment on an IT infrastructure and its assets. These best practices or approaches will vary depending on the scope of the IT infrastructure and its assets. To properly secure and protect an organization’s IT infrastructure and assets, a significant amount of design, planning, and implementation expertise is required to ensure that the proper level of security is designed and implemented properly. While preparing and conducting a risk assessment, the following best practices or approaches should be considered:
- Create a Risk Assessment Policy—A risk assessment policy will define what the organization must do periodically (annually in many cases), how risk is to be addressed and mitigated (for example, a minimum acceptable vulnerability window), and how that organization must carry out a risk assessment for its IT infrastructure components and its assets. Creation of a risk assessment policy is usually done after the first risk assessment is conducted as a post-assessment activity. In some cases, organizations create a risk assessment policy and then implement the recommendations that the policy defines.
- Inventory and Maintain a Database of IT Infrastructure Components and IT Assets—One of the most tedious but important first steps in conducting a risk or vulnerability assessment is to identify and inventory all known IT infrastructure components and assets. Without a complete and accurate inventory of IT infrastructure components and IT assets, an asset valuation, criticality, or importance evaluation cannot be performed.
- Define Risk Assessment Goals and Objectives in Line with Organizational Business Drivers—Defining the risk assessment’s goals and objectives is the second step in conducting a risk assessment for your IT infrastructure components and IT assets. Aligning these goals and objectives with the organization’s business drivers will allow the organization to prioritize and focus on critical systems and assets first given the budget limitations that most organizations face.
- Identify a Consistent Risk Assessment Methodology and Approach for Your Organization—Defining and selecting the risk assessment methodology and approach for your organization will be dependent on the organization’s ability to identify accurate IT infrastructure components and assets, the ability to identify asset value and/or asset importance/criticality to the organization, and how the organization makes business decisions. This will be further examined in Chapter 4, "Risk Assessment Methodologies."
- Conduct an Asset Valuation or Asset Criticality Valuation as per a Defined Standard Definition for the Organization—Depending on the accuracy and availability of inventory documentation and asset valuation data (for example, capital dollars spent on hardware, software, integration, maintenance, staff salaries, G&A overhead), the organization should conduct an asset valuation or asset criticality (importance) assessment to prioritize and determine which IT infrastructure components and assets are most important to the organization (either in monetary value or importance value). This will be further examined in Chapter 4.
- Define and/or Limit the Scope of the Risk Assessment Accordingly by Identifying and Categorizing IT Infrastructure Components and Assets as Critical, Major, and Minor—Depending on the scope of the risk assessment, an organization may or may not be faced with a limited budget to conduct a thorough risk and vulnerability assessment. In many cases, organizations have limited budgets to conduct a risk and vulnerability assessment and must limit the scope on the mission-critical IT infrastructure components and assets only. Although this solution exposes the organization to potential risks, threats, and vulnerabilities, a defense-in-depth approach to assessing and mitigating risks, threats, and vulnerabilities can still be pursued.
- Understand and Evaluate the Risks, Threats, and Vulnerabilities to Those Categorized IT Infrastructure Components and Assets—After the IT infrastructure components and assets are identified and an asset valuation or asset criticality assessment is conducted, the next step in the risk assessment and vulnerability assessment is to assess the impact that potential risks, threats, and vulnerabilities have on the identified IT infrastructure components and assets. By aligning the potential risks, threats, and vulnerabilities to the prioritized IT infrastructure components and assets, management can make sound business decisions based on the value or criticality of that IT asset and the potential risk, threats, and vulnerabilities that are known.
- Define a Consistent Standard or Yardstick of Measurement for Securing the Organization’s Critical, Major, and Minor IT Infrastructure Components and Assets—To properly categorize IT infrastructure components and assets, a consistent standard definition or yardstick of measurement needs to be defined. This standard definition refers to how the organization will define and categorize IT infrastructure components and assets to be Critical, Major, or Minor. This definition can be based on monetary value, requirement by law or mandate, or criticality or importance to the organization. The selection criteria or requirements for defining this standard definition should be defined by management and incorporated into the risk assessment policy when it is drafted and implemented.
- Perform the Risk and Vulnerability Assessment as per the Defined Standard or Yardstick of Measurement for the Organization’s IT Infrastructure Assets—After the standard definition or yardstick of measurement is defined for IT asset categorization, the risk and vulnerability assessment can be aligned to the priorities as defined by the results of the standard definition for categorization of the organization’s IT infrastructure components and assets. This is important given that most organizations have a limited budget for implementing information security countermeasures and must prioritize how they spend funds on information security, especially if they are under compliance requirements with new laws, mandates, and regulations that require them to do so or be subject to penalties.
- Prepare a Risk and Vulnerability Assessment Final Report That Captures the Goals and Objectives Aligned with the Organization’s Business Drivers, Provides a Detailed Summary of Findings, Provides an Objective Assessment and Gap Analysis of Those Assessment Findings to the Defined Standard, and Provides Tactical and Strategic Recommendations for Mitigating Identified Weaknesses—The risk and vulnerability assessment final report is the primary document that presents all the findings, information, assessments, and recommendations for the organization. The final assessment report becomes the instrument for management to make sound business decisions pertaining to the organization’s overall risk and vulnerability assessment and how that organization will mitigate the identified risks, threats, and vulnerabilities.
- Prioritize, Budget, and Implement the Tactical and Strategic Recommendations Identified During the Risk and Vulnerability Assessment Analysis—After the findings, assessment, and recommendations are presented to management, it is important to prioritize them, create a budget, and have a tactical and strategic plan for implementing the recommendations presented in the final report. These recommendations may impact the entire organization and may take months, if not years, to fully implement. This prioritization of tactical and strategic recommendations will enable the organization to make sound business decisions with the defined goals and objectives of the risk and vulnerability assessment.
- Implement Organizational Change Through an Ongoing Security Awareness and Security Training Campaign to Maintain a Consistent Message and Standard Definition for Securing the Organization’s IT Infrastructure and Assets—Implementing organizational change requires an education and security awareness training plan for all employees or authorized users of the organization’s IT systems, resources, and data. Mitigating risk requires all employees and users within the organization to abide by security awareness training.
Defining and implementing these risk assessment best practices does not come easily and requires careful analysis and decision making unique to the organization’s business drivers and priorities as an organization. For example, a bank or financial institution requires more stringent use of encryption technology to ensure confidentiality of privacy data, whereas an organization that is not subject to stringent confidentiality requirements may put less investment in encryption technology and more investment in other areas.
These risk assessment best practices allow an organization to consider the big picture of why that organization should conduct a risk and vulnerability assessment and how they should methodically approach the assessment. More importantly, these best practices align that organization’s business drivers and defined standards to the risk and vulnerability assessment to assist management in making sound business decisions based on available budgets, minimum acceptable vulnerability windows, and importance and criticality of IT infrastructure components and assets.