Cyber Security Assessments

The concept of “risk” is a tricky one to define, as it will differ depending on the criticality of the system or the nature of the data involved. There are numerous factors that go into calculating risk, including what threats you’re facing, how vulnerable your systems are to that threat, and how important the data in question is.

1.1 Identify Threats

The first thing to do is identify the threats you are facing. A threat can be defined as anything that would harm your organization, from an earthquake to complete system shutdown. Threats can take many forms so it’s important to take your time and go through all possibilities. Don’t forget to take into account the treat from within as well, as human error, accidental misuse and malicious insiders account for a drastically high proportion of all security breaches.

1.2 Assess Vulnerabilities

Next, how vulnerable are you to the threats you’ve just outlined? Vulnerabilities are weaknesses that a threat can use to breach your systems and data. Vulnerabilities can be discovered through audits, testing systems and other reviews. How often do you patch and update software company-wide? Are your server rooms easily accessible? How often are passwords changed? How often do employees get security awareness training? These are the kind of questions you should be asking.

• One of the most important part of an IT risk assessment is being able to understand where your most sensitive data resides in your IT environment and which files and folders contain the most critical information. If a file contains a name, it counts as Personally Identifiable Information, but on its own it is useless to a would-be attacker. However, if that same file contains a full address and credit card information, suddenly the potential risk of that file being breached has increased dramatically.

  Using a discovery and classification solution, you can discover, tag and classify your unstructured data to find out where it resides, and which files and folders are most critical.

  For each asset you have identified as valuable, you will need to gather information on how you are storing/handling/securing it to provide a better picture of the risks involved (for example, where is it stored? Who has access to it? What policies are in place for securing it? etc.). Order these assets from most critical to least critical depending on the associated cost of losing it.

• After you’ve identified which data is at risk and what those risks are, you need to look at what controls you currently have in place to plug up vulnerabilities. Controls can be both physical and virtual, from security guards to firewalls and auditing solutions.

  Once you have all this information you should be in a good place to assess what the likelihood and impact of a security threat could have on your organization. It will mostly be an estimation, but it will be informed by all of the previous work you have done.

  Using your assessment of the likelihood of threats, you can suggest what controls you need to put in place as a result. By documenting all the steps and results of your data security risk assessment, you can build up a picture of what actions each department needs to take to mitigate threats. Prioritize these actions according to their criticality and you should be able to see a roadmap in front of you towards better IT security and compliance.