6 Stages of a Security Risk Assessment
by : - By Bojana Dobran
A useful guideline for adopting a risk management framework is provided by the U.S. Dept. of Commerce National Institute of Standards and Technology (NIST). This voluntary framework outlines the stages of ISRM programs that may apply to your business.
1. Identify – Data Risk Analysis
This stage is the process of identifying your digital assets that may include a wide variety of information:
Financial information that must be controlled under Sarbanes-OxleyHealthcare records requiring confidentiality through the application of the Health Insurance Portability and Accountability Act, HIPAA
Company-confidential information such as product development and trade secrets
Personnel data that could expose employees to cybersecurity risks such as identity theft regulations
For those dealing with credit card transactions, compliance with Payment Card Industry Data Security Standard (PCI DSS)
During this stage, you will evaluate not only the risk potential for data loss or theft but also prioritize the steps to be taken to minimize or avoid the risk associated with each type of data.
The result of the Identify stage is to understand your top information security risks and to evaluate any controls you already have in place to mitigate those risks. The analysis in this stage reveals such data security issues as:
Potential threats – physical, environmental, technical, and personnel-related
Controls already in place – secure strong passwords, physical security, use of technology, network access
Data assets that should or must be protected and controlled
This includes categorizing data for security risk management by the level of confidentiality, compliance regulations, financial risk, and acceptable level of risk.
2. Protection – Asset Management
Once you have an awareness of your security risks, you can take steps to safeguard those assets.
This includes a variety of processes, from implementing security policies to installing sophisticated software that provides advanced data risk management capabilities.
Security awareness training of employees in the proper handling of confidential information.
Implement access controls so that only those who genuinely need information have access.
Define security controls required to minimize exposure from security incidents.
For each identified risk, establish the corresponding business “owner” to obtain buy-in for proposed controls and risk tolerance.
Create an information security officer position with a centralized focus on data security risk assessment and risk mitigation.
Your implementation stage includes the adoption of formal policies and data security controls.
These controls will encompass a variety of approaches to data management risks:
Review of identified security threats and existing controls
Creation of new controls for threat detection and containment
Select network security tools for analysis of actual and attempted threats
Install and implement technology for alerts and capturing unauthorized access
4. Security Control Assessment
Both existing and new security controls adopted by your business should undergo regular scrutiny.
Validate that alerts are routed to the right resources for immediate action.
Ensure that as applications are added or updated, there is a continuous data risk analysis.
Network security measures should be tested regularly for effectiveness. If your organization includes audit functions, have controls been reviewed and approved?
Have data business owners (stakeholders) been interviewed to ensure risk management solutions are acceptable? Are they appropriate for the associated vulnerability?
5. Information Security System Authorizations
Now that you have a comprehensive view of your critical data, defined the threats, and established controls for your security management process, how do you ensure its effectiveness?
The authorization stage will help you make this determination:
Are the right individuals notified of on-going threats? Is this done promptly?
Review the alerts generated by your controls – emails, documents, graphs, etc. Who is tracking response to warnings?
This authorization stage must examine not only who is informed, but what actions are taken, and how quickly. When your data is at risk, the reaction time is essential to minimize data theft or loss.
6. Risk Monitoring
Adopting an information risk management framework is critical to providing a secure environment for your technical assets.
Implementing a sophisticated software-driven system of controls and alert management is an effective part of a risk treatment plan.
Continuous monitoring and analysis are critical. Cyber thieves develop new methods of attacking your network and data warehouses daily. To keep pace with this onslaught of activity, you must revisit your reporting, alerts, and metrics regularly.
<To read the full article, pls click here >