It’s finally time for the security risk assessment you’ve been pushing off…
You may have been delaying because you believe risk assessments aren’t really valuable— that you just have to perform one for compliance or that it’s only going to tell you things that you already know. Or, maybe you just can’t invest the time and resources or believe one of the many myths about risk assessments.
But perhaps one of the biggest reasons companies drag their feet at getting started with a risk assessment is that they are unclear on how exactly to prepare.
Fortunately, there’s a lot you can do to prepare for an assessment internally. Here are five things you can do to make the flow and process easier and get better results:
1. Identify your scope.
If you are a large company with many servers, software programs and applications, they’ll be more to analyze in your risk assessment than a smaller business with say one main server and limited toolsets.
It’s important to get a clear view of the project scope to help define the time and resources you’ll need to complete it. Some risk assessments don’t cover it all at once, instead of focusing on one element or business unit.
For instance, you may choose to assess one group of servers or a particular application that you are considering installing or replacing. Define what will be analyzed during the risk assessment internally, or seek a professional, objective opinion on how to best define a realistic scope to meet your business needs.
2. Identify your assets.
Next, you need to understand what items you have that could be at risk. It’s not uncommon for companies to assume that the only things that need to be listed are their physical assets like hardware (computers, mobile devices, servers, etc.), but that’s not the only property you need to protect.
Consider any sensitive data you have housed, including personal or patient records, and intellectual property about your organization, brand, reputation, etc. Also consider your software, like applications, tools, operating systems, etc.
It’s important to be comprehensive. Include any of your assets that have been entrusted to suppliers and vendors and consult broadly with other people internally who carry knowledge on how your company operates.
3. Do a business impact analysis.
While a risk assessment will define your potential loss scenarios, a business impact analysis (BIA) helps to prioritize the value of your assets.
A BIA “predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies,” as Ready.gov so accurately explains.
This impact analysis helps you to identify and evaluate the impact of disasters on your company so that you can develop appropriate recovery strategies. For instance, it estimates how, say, a ransomware attack would affect your sales and income (by delaying or losing money), how much it would cost to fix it (labor, outsourcing expert help, etc.), how much you’d have to pay in penalties or lawsuits if personal data was leaked, and of course, customer and reputation implications.
All this data can feed right into your risk assessment as it helps you calculate the loss expectancy for each risk.
4. Identify your subject matter experts.
Firstly, who will be performing your risk assessment? If it’s an internal staff, you must note who exactly has hands on the analysis, and one person experienced in performing risk assessments needs to be the lead. But it doesn’t stop there.
Who knows enough about business processes and operations to be able to articulate their interdependencies and value? Every asset should have an owner, and there may be a separate risk owner. But, there are likely also subject matter experts (SMEs) in specialized areas of your company who will need to be included to articulate the way the assets are relied upon internally.
Identify who the owner, risk owner and any SME’s to consult for each asset. Learn more about the information needed for a risk assessment in our other post: “How to Get the Most Out of a Security Risk Assessment.”
5. Choose the right partner.
Risk assessments can become complicated quickly, as there is a great deal of specialized knowledge and expertise required to perform them thoroughly and correctly. You’ll need someone to help you to evaluate and prioritize the risks and lead the selection of risk treatments so that you can confidently mitigate, avoid or transfer them, or make an informed decision to let certain risks remain.
Depending on the size of your company and your number of assets, they can also require a lot of time— time your staff probably doesn’t have available to do one thoroughly. That’s why it’s valuable to choose an external risk assessment expert that you can trust, with the competence and commitment you need to see your assessment through.
When it comes to screening a risk assessment provider, don’t hold back on asking difficult questions, including how they will ensure that you’ll get the data you need to treat your risks with confidence - and not just hand you a pretty risk heat map.
Let Us Help You Prepare
Set yourself up for success, but don’t do all the work yourself.
The senior-level staff members at Truvantis® can outline exactly what you can do to prepare for a risk assessment with us. Plus, we have the expertise to do the job right.
Our IT security experts are here to make getting a risk assessment seem easy. Contact us today.