What is an information security risk assessment?

An information security risk assessment is a structured and disciplined process that integrates risk management activities into the enterprise system development life cycle (SDLC). It's also an assessment of the effectiveness of your business’s security controls.

It's a continuous process - Step 4 (for NIST 800 RMF) as shown in the diagram above.

So it's an essential thing to have. Without one you don't know what's at risk.

Why do you need a risk assessment?

Not knowing what's at risk in your IT estate is for some CXOs one of the main reasons for insomnia. What senior leader wants to be making headlines for all the wrong reasons? Making informed risk decisions involves risk-decision fidelity and steps to determine risk acceptance.

A good risk assessment = low risk of data leaks and hackers or professional cyber criminals stealing or disrupting your business together with security controls for compliance. Beyond that there are some very good reasons why you should press ahead with one.

• Knowing and understanding what you have at risk

• Knowing and understanding the business impact and likelihood of risks

• Ensuring you have the appropriate security controls in place for all applicable laws and regulations for example GDPR, PCI-DSS, SOX, HIPAA, etc.

• Making sure your business is managing information security risks, prioritising them, mitigating them and ensuring that risks are not simply ignored

• As a starting point for fixing poor information security controls and countermeasures in your business.

How do you go about executing one?

An information security risk assessment starts with an initialisation and mobilisation phase to understand important business drivers and define scope. At a high level follow a three phase process for an initial risk assessment.

Phase 1

• Stakeholder interviews and information gathering (including policies, procedures and any prior risk assessment reports)

• Business drivers, security drivers and objectives inc. key risk areas and business impact

• Scope, confirm framework(s) e.g. NIST CSF/800-53, ISO27K, COBIT, ISA etc and confirm security patterns for each security domain e.g. applications, data, networks, cloud, SDLC, wireless etc.

Phase 2

• Conduct the information security assessment against the baseline controls as agreed in phase 1 scope

• Ensure all relevant information is captured around the effectiveness of each control, identifying the impact to Confidentiality, Integrity and Availability without the control and with the control in place.

Phase 3

• Analyse the results of the risk assessment - for 100 to 200 controls this can take a few days

• Write up the risk assessment report including exec summary, risk heatmap and detailed findings - see some example NIST Risk Management Framework report outputs above.