The cybercriminals are still on top of their game, changing targets and tactics. The work-from-home revolution continues and the drive for automation continues across industries. All of these changes affect cybersecurity risk and those profiles should be considered in our information security plan.
This points to the need for risk assessments to be a regular practice, not only an annual exercise, and the examiners agree. We have heard many calls for ongoing risk assessments, especially when implementing new security tools that require privileged access, citing the recent supply chain attacks as the poster child for understanding and limiting access to the minimum necessary and ensuring proper controls are in place.
So, how do we go about this?
- Identify the trigger: When a new system, tool, or change is identified, assess the level and risk of the change. If the change is more than a regular software update, you may want to consider performing a risk assessment based on the guidance in your change management program. See our blog post: Does your Change Management Process need a conversion? for more on risk rating changes.
- Perform the assessment: Since we regularly assess cybersecurity risk on at least an annual basis, this step should be straightforward. As a quick refresher, look at the potential risks to the confidentiality, integrity, and availability of the asset and information. This could be through vulnerabilities, social engineering, weak passwords/or authentication methods, etc. Next, list the controls and their effectiveness (being honest and fair!) and rate the residual risk. If it’s all ending in green or low risk…either you’re spending a lot of resources on security or maybe not being realistic. Everything is not always green and that’s ok!
- Ensure you’re looking at implementation risks: These are very straightforward if you can take a step back. We are implementing a new system, so everything can potentially change. Have we adequately communicated the change? Do we have a solid training plan for users? Will this impact our customers? Do we need to adapt upstream processes to ensure we have adequate inputs? Do we need to adjust outputs to accommodate downstream processes? How about sunsetting the old systems?
- Use your regular risk response processes: The governance team should decide whether to mitigate, avoid, accept or transfer the risk. Most commonly, this is a decision to mitigate the risk by enhancing controls. If the team decides to accept the risk, this should be documented, including management’s view of the risk and communicated through the governance process, and revisited at least annually.
- Add this assessment to your overall risk profile: This addition could change your overall risk profile and certainly should be included in assessments and reporting going forward. So whether you’re using a GRC platform or excel workbook, ensure this gets added in with your other assets and assessments.
If you need help with your risk assessments or understanding the process, please contact us at support@bedelsecurity.com.
Additional Resources:
Inherent and Residual Risk
https://www.bedelsecurity.com/blog/inherent-and-residual-risk
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
The Most Underrated Control in Information Security
https://www.bedelsecurity.com/blog/the-most-underrated-control-in-information-security
IT Risk Assessment vs. Vendor Risk Assessment Simplified
https://www.bedelsecurity.com/blog/it-risk-assessment-vs.-vendor-risk-assessment-simplified