How to conduct reliable InfoSec Risk Assessments?
Risk assessment is the backbone of information security. In this blog Understand how to produce reliable results by updating the risk assessment documents regularly and correctly.
RQ SPEAK
If you're an ISO 27001 certified Organization, you have heard about Information Security Risk Assessment. This is a document that is mandatory for Audits and assessment and is reviewed and updated every year (at least!). However, does the document provide the actual Risks that the organization is living with, does it comprehensively cover all the critical areas of the organization? Does it give you actionable information? Well if not, then don't worry, this post will help you to improve your risk assessments.
Let's start with the basics - what do we mean by risk in information security and how is it assessed.
A “risk” is the likelihood of a threat exploiting a vulnerability leading to a negative impact on the Organization.
Just by looking at the above definition, one can easily say that risk depends on the following parameters and the way it is assessed.
-
Threats
-
Vulnerabilities
-
Likelihood
-
Impact or consequences on the organization
And the level of risk is calculated based on the following:
-
Asset rating
-
Likelihood value
-
Level of consequences
-
Existing controls
Based on the “residual” Risk level, action on the risk is taken whether to mitigate, retain, transfer or avoid.
This is the standard process for risk assessment, but following this process alone will not give you reliable results.
There are areas that are overlooked. In this post, I will cover the top 5 overlooked areas and and how to be careful while assessing your information security risks:
1. Eliminate subjectivity.
Consider the below scenario for a risk evaluation of UPS managed by the Physical Administration team of the Organization.
The Risk assessment is performed by the General Manager of the Physical administration team. Based on the Threat and Vulnerability identified for the asset - UPS, existing control is updated.
|
Asset |
Threat |
Vulnerability |
Existing control |
Level of consequences |
Likelihood of occurrence |
Risk level |
Decision on Risk |
|
UPS |
Equipment Failure /load shedding |
Lack of maintenance of UPS battery |
Maintenance is done as per defined period Agreement in place with the vendor. |
While determining the Level of consequences and Likelihood of Occurrence, General Manager referred the below description for ratings,
|
Level of Consequences |
Description |
|
Low |
No or low Financial consequences |
|
Medium |
Moderate Financial consequences |
|
High |
High Financial consequences |
|
Likelihood of occurrence |
Description |
|
Rare |
Very unlikely to occur |
|
Moderate |
Event are expected to occur |
|
Almost Certain |
Almost certain that event will occur |
Based on the selection of likelihood of occurrence and level of consequences, the Risk level was evaluated -
|
Risk Level |
||||
|
Consequences |
||||
|
Likelihood |
Low |
Medium |
High |
|
|
Rare |
Low |
Moderate |
High |
|
|
Moderate |
Low |
Moderate |
High |
|
|
Almost certain |
High |
High |
Extreme |
|
Below was the final Risk level calculated
|
Asset |
Threat |
Vulnerability |
Existing control |
Level of consequences |
Likelihood of occurrence |
Risk level |
Decision on Risk |
|
UPS |
Equipment Failure /load shedding |
Lack of maintenance of UPS battery |
Maintenance is done as per defined period Agreement in place with the vendor. |
Medium |
Rare |
Low |
Retain |
Since the Risk level was Low, no further action on the Risk is taken.
The problem here is the description of impact ratings for consequences and likelihood of occurrence. It doesn't tell the assessor what is meant by Low, Medium or High. Medium for General Manager can be Low for Sr. Manager. This is subjective to the person who is performing the Risk assessment based on his knowledge & experience. Even If you assigned values instead of Low, Medium and High, will not solve the problem.
How do we eliminate it? This is done by eliminating the subjectivity or at least reducing it to a level that an impact rating determined as ‘Low’ will not become ‘High’ when reviewed. Check the below revised ratings -
|
Level of Consequences |
Description |
|
Low |
Considering existing control, consequences is determined as low if atleast any one of the following conditions is met-
|
|
Medium |
Considering existing control, consequences is determined as Medium if atleast any one of the following conditions is met-
|
|
High |
Considering existing control, consequences is determined as High if atleast any one of the following conditions is met-
|
|
Likelihood of occurrence |
Description |
|
Rare |
Events have not occurred in the last one year. |
|
Moderate |
Events have occurred more than once in the last one year but corrective actions are implemented. |
|
Almost Certain |
Based on the current incident record, events can occur every quarter. |
The above description is for reference to demonstrate how to eliminate the subjectivity by properly deafening the impact parameters. Providing more information while determining the impact ratings will help in eliminating the subjectivity and providing a more accurate risk posture of the organization.
2. Mention specific controls that are implemented.
Consider the below example for Unauthorized physical access control. Existing control is mentioned as ‘Physical access control is implemented.
|
Asset |
Threat |
Vulnerability |
Existing control |
Level of consequences |
Likelihood of occurrence |
Risk level |
Decision on Risk |
|
Secure Area |
Unauthorised physical access |
No access control / Poor access control |
Physical access control is implemented. |
Medium |
Rare |
Low |
Retain |
This very generic description of the control in place. Looking at the controls, it cannot be assessed how strong the control is in terms of implementation and coverage. Now consider the below example.
|
Asset |
Threat |
Vulnerability |
Existing control |
Level of consequences |
Likelihood of occurrence |
Risk level |
Decision on Risk |
|
Secure Area |
Unauthorised physical access |
No access control / Poor access control |
Physical access control is implemented at all the entry and exit points in the Secure Area. Access is given post formal approval and revoked as per the offboarding process. Visitor entry is restricted in the Secure area. Access control system is implemented by vendor with 24*7 support in place. |
Medium |
Rare |
Low |
Retain |
By mentioning the specific controls in the above example, a User can then evaluate the Level of consequences and Likelihood of occurrence for Risk. This will improve the overall Risk assessment process.
3. Not Assessing the risks of the controls implemented.
Consider the below example for a risk identified in the secure area.
|
Asset |
Threat |
Vulnerability |
Existing control |
Level of consequences |
Likelihood of occurrence |
Risk level |
Decision on Risk |
|
Secure Area |
Unauthorized physical access |
No monitoring in place |
CCTV is installed at strategic areas. Footage is retained for 30 days. |
Medium |
Rare |
Low |
Retain |
Here the existing control is CCTV for surveillance and monitoring. But CCTV requires electricity for working. What if there is a Power outage? The control will fail and monitoring will stop. The Risks of control implemented should also be covered in the Risk Assessment, as control implemented may have inherent risk with it. This practice will ensure a wide coverage of the organisation risks.
4. Risk Assessment not integrated with the processes.
Consider a scenario in the Organization where the IT team wants to procure a Network IPS device. The device POC is done, IPS is now implemented. Later on there was an incident and the IT team extracted the event log from the device. The device had the capability to store logs only for 30 days, whereas the team wanted to investigate the logs prior to 30 days, which they failed to do due to device limitation. The Organization has defined in the Policy that Logs shall be retained for 3 months, however, the team didn’t assess the application risks during the procurement process.
This was a gap as the risk assessment was not integrated with the process. The same can happen while onboarding new vendors, procuring new systems or software.
The risk assessment should be integrated with processes to identify and mitigate such risks.
5. Risk mitigation plan not tracked
Once the Risk is identified as High or Very High and management decides to mitigate the risk by implementing the control, the same is documented in the risk assessment or mitigation plan with action date and responsibility. This is how usually the process is. However, the document is closed and is opened in the next revision cycle. The problem arises as the action items are not tracked. People who are assigned with the responsibility may leave the organization and the replacement would be unaware about such risk and its mitigation plan. Also, based on the further evaluation, a mitigation plan is modified or a different mitigation plan is proposed. This isn’t updated in the plan. This gap in the process would lead to the Organization missing the timeline for implementation and living with the risk.
Such a gap can be strengthened by ensuring that the mitigation plan is tracked either by the Information Security Implementation team or CISO. This can also be automated if the action plan is logged in the current issue tracking system so that it is not overlooked. Changes to such an action plan will also be tracked with revised timeline as applicable.
Conclusion :
If you have overlooked any of the above areas , it is a high time to work on it. This will take time and effort but will definitely improve the information security posture of the organization as risk assessments are backbone of information security.
_1697608893.png)
_1695719692.png)
_1671446303.png)
_1665146906.png)
GET GREAT CONTENT
Hey there! Want to continue learning about Cyber Security?
Sign up below to receive fascinating information and exclusive content on Cyber Security!
