{"id":6915,"date":"2021-05-26T21:34:46","date_gmt":"2021-05-26T19:34:46","guid":{"rendered":"https:\/\/tekmart.co.za\/t-blog\/?p=6915"},"modified":"2021-05-26T21:36:25","modified_gmt":"2021-05-26T19:36:25","slug":"a-step-by-step-framework-on-how-to-perform-a-cybersecurity-risk-assessment","status":"publish","type":"post","link":"https:\/\/tekmart.co.za\/t-blog\/a-step-by-step-framework-on-how-to-perform-a-cybersecurity-risk-assessment\/","title":{"rendered":"A step by step framework on how to perform a cybersecurity risk assessment."},"content":{"rendered":"Reading Time-approximately:<\/span> 5<\/span> minutes<\/span><\/span>\n

This five-step framework for performing a cybersecurity risk assessment will help your organization prevent and reduce costly security incidents and avoid compliance issues.<\/strong><\/h2>\n\n\n\n
\"Michael<\/figure>\n\n\n\n

By Michael Cobb<\/a><\/p>\n\n\n\n

Practically every organization has internet connectivity and some form of IT infrastructure, which means nearly all organizations are at risk of a cyber attack. To understand how great this risk is and to be able to manage it, organizations need to complete a cybersecurity risk assessment, a process that identifies which assets are most vulnerable to the risks the organization faces.<\/p>\n\n\n\n

Mitigating the risks identified during the assessment will prevent and reduce costly security incidents and data breaches and avoid regulatory and compliance issues. The risk assessment process also obliges everyone within an organization to consider how cybersecurity risks can impact the organization’s objectives, which helps to\u00a0create a more risk-aware culture. So, what is at the heart of a cybersecurity risk assessment?<\/p>\n\n\n\n

What does a cybersecurity risk assessment entail?<\/strong><\/h3>\n\n\n\n

A cybersecurity risk assessment requires an organization to determine its key business objectives and identify the information technology assets that are essential to realizing those objectives. It’s then a case of\u00a0identifying cyber attacks\u00a0that could adversely affect those assets, deciding on the likelihood of those attacks occurring, and the impact they may have; in sum, building a complete picture of the threat environment for particular business objectives. <\/p>\n\n\n\n

This allows stakeholders and security teams to make informed decisions about how and where to implement security controls to reduce the overall risk to one with which the organization is comfortable.<\/p>\n\n\n\n

How to perform a cybersecurity risk assessment: 5 steps<\/strong><\/h3>\n\n\n\n

A cybersecurity risk assessment can be split into many parts, but the five main steps are scoping, risk identification, risk analysis, risk evaluation and documentation.<\/p>\n\n\n\n

\"5<\/figure>\n\n\n\n

Step 1: Scoping<\/strong><\/h3>\n\n\n\n

A risk assessment starts by deciding what is in scope of the assessment. It could be the entire organization, but this is usually too big an undertaking, so it is more likely to be a business unit, location or a specific aspect of the business, such as payment processing or a web application. It is vital to have the full support of all stakeholders whose activities are within the scope of the assessment as their input will be essential to understanding which assets and processes are the most important, identifying risks, assessing impacts and\u00a0defining risk tolerance levels. A third-party specializing in risk assessments may be needed to help them through what is a resource-intensive exercise.<\/p>\n\n\n\n

Everyone involved should be familiar with the terminology used in a risk assessment such as likelihood and impact so that there is a common understanding of how the risk is framed. Prior to undertaking a risk assessment, it is well worth reviewing standards like\u00a0ISO\/IEC 27001\u00a0and frameworks such as\u00a0NIST SP 800-37, which can help guide organizations on how to assess their information security risks in a structured manner and ensure mitigating controls are appropriate and effective.<\/p>\n\n\n\n

Various standards and laws such as HIPAA, Sarbanes-Oxley, and\u00a0PCI DSS\u00a0require organizations to complete a formalized risk assessment and often provide guidelines and recommendations on how to complete them. However,\u00a0avoid a compliance-oriented, checklist approach\u00a0when undertaking an assessment, as simply fulfilling compliance requirements doesn’t necessarily mean an organization is not exposed to any risks.<\/p>\n\n\n\n

Step 2: Risk identification<\/strong><\/h3>\n\n\n\n

2.1 Identify assets<\/strong><\/h4>\n\n\n\n

You can’t protect what you don’t know, so the next task is to identify and create an inventory of all physical and logical assets that are within the scope of the risk assessment. When identifying assets, it is important to not only establish those which are considered the organization’s\u00a0crown jewels<\/em>\u00a0— assets critical to the business and probably the main target of attackers, but also assets attackers would want to take control over, such as an\u00a0Active Directory server\u00a0or picture archive and communications systems, to use as a pivot point to expand an attack. Creating a\u00a0network architecture diagram\u00a0from the asset inventory list is a great way to visualize the interconnectivity and communication paths between assets and processes as well as entry points into the network, making the next task of identifying threats easier.<\/p>\n\n\n\n

2.2 Identify threats<\/strong><\/h4>\n\n\n\n

Threats are the tactics, techniques, and methods used by threat actors that have the potential to cause harm to an organization’s assets. To help identify potential threats to each asset use a threat library like the\u00a0MITRE ATT&CK Knowledge Base\u00a0and consider where each asset sits in the\u00a0Lockheed Martin cyber kill chain, as this will help determine the types of protection they need. The cyber kill chain maps out the stages and objectives of a typical real-world attack.<\/p>\n\n\n\n

2.3 Identify what could go wrong<\/strong><\/h4>\n\n\n\n

This task involves specifying the consequences of an identified threat exploiting a vulnerability to attack an in-scope asset. For example:<\/p>\n\n\n\n

Threat: An attacker performs an SQL injection on an<\/strong><\/p>\n\n\n\n

Vulnerability: unpatched<\/strong><\/p>\n\n\n\n

Asset: web server<\/strong><\/p>\n\n\n\n

Consequence: to steal customers’ private data.<\/strong><\/p>\n\n\n\n

Summarizing this information in simple scenarios like this makes it easier for all stakeholders to understand the risks they face in relation to key business objectives and for security teams to identify appropriate measures and best practices to address the risk.<\/p>\n\n\n\n

Step 3: Risk analysis<\/strong><\/h3>\n\n\n\n

Now it is time to determine the likelihood of the risk scenarios documented in Step 2 actually occurring, and the impact on the organization if it did happen. In a cybersecurity risk assessment, risk likelihood — the probability that a given threat is capable of exploiting a given vulnerability — should be determined based on the discoverability, exploitability and reproducibility of threats and vulnerabilities rather than historical occurrences. This is because the dynamic nature of cybersecurity threats means likelihood<\/em> is not so closely linked to the frequency of past occurrences like flooding and earthquakes are for example.<\/p>\n\n\n\n

Ranking likelihood<\/em> on a scale of 1: Rare to 5: “Highly Likely,” and impact<\/em> on a scale of 1: Negligible to 5: “Very Severe,” makes it straightforward to create the risk matrix illustrated below in Step 4.<\/p>\n\n\n\n

Impact refers to the magnitude of harm to the organization resulting from the consequences of a threat exploiting a vulnerability. The impact on confidentiality, integrity and availability should be assessed in each scenario with the highest impact used as the final score. This aspect of the assessment is subjective in nature, which is why input from stakeholders and security experts is so important. Taking the\u00a0SQL injection\u00a0above, the impact rating on confidentiality would probably be ranked as “Very Severe.”<\/p>\n\n\n\n

Step 4: Determine and prioritize risks<\/strong><\/h3>\n\n\n\n

Using a risk matrix like the one below where the risk level is “Likelihood times Impact,” each risk scenario can be classified. If the risk of a SQL injection attack were considered “Likely” or “Highly Likely” our example risk scenario would be classified as “Very High.”<\/p>\n\n\n\n

\"5x5
Figure 1: 5×5 risk matrix<\/strong><\/figcaption><\/figure>\n\n\n\n

Any scenario that is above the agreed-upon tolerance level should be prioritized for treatment to bring it within the organization’s risk tolerance level. There are three ways of doing this:<\/p>\n\n\n\n

  1. Avoid.<\/strong> If the risk outweighs the benefits, discontinuing an activity may be the best course of action if it means no longer being exposed to it.<\/li>
  2. Transfer.<\/strong> Share a portion of the risk with other parties through cyber insurance or outsourcing certain operations to third parties.<\/li>
  3. Mitigate.<\/strong> Deploy security controls and other measures to reduce the Likelihood and\/or Impact and therefore the risk level.<\/li><\/ol>\n\n\n\n

    However, no system or environment can be made 100% secure, so there is always some risk left over. This is called\u00a0residual risk\u00a0and must be formally accepted by senior stakeholders as part of the\u00a0organization’s cybersecurity strategy.<\/p>\n\n\n\n

    Step 5: Documentation<\/strong><\/h3>\n\n\n\n

    It’s important to document all identified risk scenarios in a\u00a0risk register. This should be regularly reviewed and updated to ensure that management always has an up-to-date account of its cybersecurity risks. It should include:<\/p>\n\n\n\n