What is a risk assessment? A risk assessment is one of the most important components of a sound and robust cybersecurity program. A well-conducted risk assessment will help an organization identify where they are most vulnerable and will help prioritize their security tasks and deployment of available resources. Before delving into the ins-and-outs of risk assessments, an important distinction needs to be made. What is the difference between a risk assessment and an audit?
The terms “risk assessment” and “audit” are often used interchangeably and considered to be the same, but this is a common misconception. According to ISACA, risk assessments “are used to identify those items or areas that present the highest risk, vulnerability or exposure to the enterprise for inclusion in the IS annual audit plan.”. Conversely, ISACA defines an audit as a “formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met.”
To put it simply, a risk assessment is an overview of the technical, physical and administrative controls being implemented by an organization, with the goal of identifying areas of risk for the organization. An audit, on the other hand, is an in-depth review and test of the technical, physical and administrative controls being implemented by an organization, with the goal of determining whether an organization’s controls are being implemented effectively and functioning as intended.
Risk assessments may be conducted for several reasons. In many cases, risk assessments are required for an organization to maintain compliance with a regulation or standard. For example, risk assessments are required for regulations and standards such as HIPAA, PCI DSS, DFARS, GDPR, New York’s DFS and many more. Additionally, risk assessments are often conducted by organizations for the sole purpose of identifying gaps in their security, with the hopes of building a stronger security posture.
Now that we have identified what a risk assessment is, let’s discuss its key components. The core of any risk assessment is to identify all the business processes, information systems, and services that are within the scope of the assessment. For many organizations, every aspect of their environment will be in scope. For other organizations, only a subset of their environment will be within the scope of an assessment. This is a critical step, as it will help prioritize how and where resources are utilized to conduct the assessment. The scope of a risk assessment is typically determined by the regulation, standard or other purposes for which the assessment is being conducted.
Once the scope of the assessment has been identified, the next step is to assess the pertinent technical, physical and administrative controls being implemented by the organization. The goal of this step is to identify areas of risk and vulnerabilities that exist within the organization’s environment, despite the currently implemented controls. This step is critical, as it will determine the overall risk level for the organization.
Once areas of risk and vulnerabilities have been identified, the next step is to assign a risk value to each identified entity. Risk values are determined by comparing the impact an exploited vulnerability can have on an organization with the likelihood of a vulnerability being exploited, based on the currently implemented controls. For example, a vulnerability that will have a severe impact on an organization if exploited, but has a low likelihood of being exploited, may receive a risk value of “Medium”.
By assigning risk values to all identified risk areas and vulnerabilities, an organization can prioritize its remediation process. For example, an organization may allocate all available resources to mitigating and resolving all “High” level risks first, saving all “Low” level risks for last. Once all areas of risk and vulnerabilities have been assigned a risk value, an overall risk level for the organization can be determined.
Performing risk assessments can be a cumbersome process, but they will benefit any organization in many ways. Risk assessments will help improve an organization’s understanding of their environment, which can help improve business processes and overall operational efficiency. While this process may seem like a daunting task, there are many organizations that pride themselves on performing top-level risk assessments for a wide range of regulations, standards and general business needs.