Risk Assessment
Every organization should be performing some type of Risk Assessment. Risk Assessments can vary in nature and degree. However, they should lay out risks from both a business and technical perspective. Oftentimes you'll encounter that organizations are not performing a risk assessment at all.
Business Risk Assessment
Business Risk Assessment should address the following.
- Insider threats
- Business Continuity & Crisis
- Legal Risks "Data Privacy, Compliance with Federal, State, Country-Specific Laws”
- Cyber Insurance "Vertical Specific"
- Data Mapping - "Where is the data" Customer Data
- Managed Services
- Sub Organization Processors
It will be your job to help lead these discussions with the business and document the results. From these conversations, you will be able to layout risks from a business perspective that will help define what risks the organization is susceptible to.
When looking at the technical risk assessment there are multiple different domains within that category. Depending on how in-depth you want to assess the organization. These types of risks assessments can vary. What should be included in a typical risk assessment is defined below.
Technical Risk Assessment
- Assets Management
- Identity Access Management
- User Access Reviews
- Third-Party Penetration Test
- Vulnerability Scanning
- Log Aggregation
- Intrusion Detection & Prevention
- Managed Services "Technical Consulting"
- Code vulnerability scanning
- Change management
The items for the technical risk assessment above will not be inclusive to all organizations however it is meant to be a guide. At a minimum, all organizations should be undergoing at least internal vulnerability scans of their infrastructure, code scanning prior to deployment to production, and a penetration test performed by a third party.
Secondly, log aggregation is meant to serve as a way to detect and respond to events before they become critical or worse, turn into a crisis for an organization. Log aggregation can often be expensive, however, you as a lead implementer should assist in coming up with solutions that will fit the organization's budget and needs.
If you’re a lead implementer, be sure to use the templates we have defined for guiding the organization through this process. After the risk assessments are completed, it will be your job to communicate the findings to the organization and then move on to the risk remediation phase.
Developing a Risk Matrix
The table below represents a snapshot of what the final report to an organization's management team should look like. It should address critical and high findings first and then medium findings. If it's a low finding it should be included in the overall report, however, redacted from the management or executive report unless otherwise stated by the management team.
Example:
| Severity | Identified Risk | Probability of Risk Occurring |
|---|---|---|
| Critical | "Risk 1" | 23% |
| High | "Risk 2" | 85% |
| Medium | "Risk 3" | 15% |
| Low | "Risk 4" | 27% |