Risk Assessments: What Are They and Why Are They Important?

March 28, 2018 | Views: 3639

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here
What is a risk assessment? A risk assessment is one of the most important components of a sound and robust cybersecurity program. A well-conducted risk assessment will help an organization identify where they are most vulnerable and will help prioritize their security tasks and deployment of available resources. Before delving into the ins-and-outs of risk assessments, an important distinction needs to be made. What is the difference between a risk assessment and an audit?
The terms “risk assessment” and “audit” are often used interchangeably and considered to be the same, but this is a common misconception. According to ISACA, risk assessments “are used to identify those items or areas that present the highest risk, vulnerability or exposure to the enterprise for inclusion in the IS annual audit plan.”. Conversely, ISACA defines an audit as a “formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met.”
To put it simply, a risk assessment is an overview of the technical, physical and administrative controls being implemented by an organization, with the goal of identifying areas of risk for the organization. An audit, on the other hand, is an in-depth review and test of the technical, physical and administrative controls being implemented by an organization, with the goal of determining whether an organization’s controls are being implemented effectively and functioning as intended.
Risk assessments may be conducted for several reasons. In many cases, risk assessments are required for an organization to maintain compliance with a regulation or standard. For example, risk assessments are required for regulations and standards such as HIPAA, PCI DSS, DFARS, GDPR, New York’s DFS and many more. Additionally, risk assessments are often conducted by organizations for the sole purpose of identifying gaps in their security, with the hopes of building a stronger security posture.
Now that we have identified what a risk assessment is, let’s discuss its key components. The core of any risk assessment is to identify all the business processes, information systems, and services that are within the scope of the assessment. For many organizations, every aspect of their environment will be in scope. For other organizations, only a subset of their environment will be within the scope of an assessment. This is a critical step, as it will help prioritize how and where resources are utilized to conduct the assessment. The scope of a risk assessment is typically determined by the regulation, standard or other purposes for which the assessment is being conducted.
Once the scope of the assessment has been identified, the next step is to assess the pertinent technical, physical and administrative controls being implemented by the organization. The goal of this step is to identify areas of risk and vulnerabilities that exist within the organization’s environment, despite the currently implemented controls. This step is critical, as it will determine the overall risk level for the organization.
Once areas of risk and vulnerabilities have been identified, the next step is to assign a risk value to each identified entity. Risk values are determined by comparing the impact an exploited vulnerability can have on an organization with the likelihood of a vulnerability being exploited, based on the currently implemented controls. For example, a vulnerability that will have a severe impact on an organization if exploited, but has a low likelihood of being exploited, may receive a risk value of “Medium”.
 By assigning risk values to all identified risk areas and vulnerabilities, an organization can prioritize its remediation process. For example, an organization may allocate all available resources to mitigating and resolving all “High” level risks first, saving all “Low” level risks for last. Once all areas of risk and vulnerabilities have been assigned a risk value, an overall risk level for the organization can be determined.
Performing risk assessments can be a cumbersome process, but they will benefit any organization in many ways. Risk assessments will help improve an organization’s understanding of their environment, which can help improve business processes and overall operational efficiency. While this process may seem like a daunting task, there are many organizations that pride themselves on performing top-level risk assessments for a wide range of regulations, standards and general business needs.
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
1 Comment
  1. Great post
    Good content …thanks

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel