© Copyright 2010-2019 Brier & Thorn, Inc.

IT Risk Assessment

WHY WE DO IT

While you know that best practice is to perform a penetration test every year; a sanctioned, simulated, real-world attack on your network to identify the state of your IT security posture, what about an IT risk assessment?

 

How do you know what to protect if you (a) don’t know where it is and (b) don’t know what it is? How do you know where to place the endpoint and network security controls? What are your highest risk assets? Is it economical to try and protect the entire network and all of its systems or just the ones where you know store the “crown jewels?” Wouldn’t that be a lot like trying to boil the ocean?

 

The fact of the matter is, you don’t know what you don’t know, and what you don’t know is if the data (your crown jewels) is only where it’s supposed to be, such as the NetApp servers or file shares, or if it has been copied to different systems and other shared folders. It also wouldn’t be economical to consider every asset in the network to be a high risk asset that needs protection. Would you for example secure your workstations the same way you’d secure your NAS containing all the sensitive data? What about DLP, where should that go and should you use endpoint security controls or network security controls?

 

What are your assets? Is it being maintained and updated in real-time by an automated asset management solution or is it manual? Do you even have an asset register? If so, which are your highest risk assets and who owns them? What are the most likely threats to your organization, the most likely vulnerabilities to be exploited, and the potential impact? Is it also feasible to attempt to treat every risk or just the ones unacceptable to the business? How do you know which risks are unacceptable?

WHAT WE DO

All of these questions are answered in an IT risk assessment. Simply put, an IT risk assessment is the identification of vulnerabilities and threats to your information assets used by your business to achieve your objectives and decide what countermeasures, if any, to take in reducing risks to an acceptable level a la an IT risk assessment and risk treatment.

 

The resulting output from an IT risk assessment is an asset register containing a list of assets, their owners, and a respective score based on the criticality of that asset to the business. A risk assessment table containing the risk score for each asset class will also be produced along with an IT risk treatment plan. This ultimately will be the result of both an asset-based and scenario-based risk assessment.

HOW WE DO IT

To accomplish this, we will first determine the scope of your information security management system (ISMS), a set of policies and procedures for systematically managing an organization’s sensitive data. What is the physical scope and logical scope of your ISMS, meaning, what physical locations and IT systems are responsible for processing, transmitting, and storing your company’s “crown jewels” or sensitive data. Once these assets have been identified in their respective departments, we will identify each asset’s owner and document these into an asset register where the assets will be scored based on the impact to the business each asset would have if confidentiality, integrity, or availability of the asset was adversely impacted by an event.

 

The threats and vulnerabilities that each asset class is affected by will be calculated and ultimately will drive the overall risk score to each asset class. Once the threat-vulnerability pairs are identified, a final score will be generated for each asset class that is correlated to the maximum risk tolerance of the business. Any asset class with a score higher than this tolerance will be carried over into a risk treatment plan with prescribed steps on how to treat the risk of that asset class to an acceptable level to the business.

 

If an IT risk assessment and risk treatment procedure doesn’t exist, we will create one based on Brier & Thorn’s methodology, which is rooted in the ISO 27005 standard. While our methodology is based on ISO, we can use other risk assessment frameworks, such OCTAVE and NIST. IT risk assessments are not a “one size fits all” and no matter what model is chosen, should be documented so the risk assessment can be “rinsed and reused” every year. The business should take steps to make sure it’s performed the same way, every time, so the results are generated the same exact way each time a risk assessment is performed for accurately tracking risk management efforts to the business and so the risk over time can be accurately measured as risk treatment plans are put into place.

OUR CAPABILITIES

  1. IT Risk Assessment according to ISO 27005, OCTAVE, HEAVENS, or any other risk assessment methodology used by your business

  2. Development of an IT Risk Assessment and Risk Treatment Policy and Procedure

  3. Asset-based Risk Assessment

  4. Scenario-based Risk Assessment

  5. Risk Treatment

Internal Audit

WHY WE DO IT

While you know that best practice is to perform a penetration test every year; a sanctioned, simulated, real-world attack on your network to identify the state of your IT security posture, what about an IT risk assessment?

 

How do you know what to protect if you (a) don’t know where it is and (b) don’t know what it is? How do you know where to place the endpoint and network security controls? What are your highest risk assets? Is it economical to try and protect the entire network and all of its systems or just the ones where you know store the “crown jewels?” Wouldn’t that be a lot like trying to boil the ocean?

 

The fact of the matter is, you don’t know what you don’t know, and what you don’t know is if the data (your crown jewels) is only where it’s supposed to be, such as the NetApp servers or file shares, or if it has been copied to different systems and other shared folders. It also wouldn’t be economical to consider every asset in the network to be a high risk asset that needs protection. Would you for example secure your workstations the same way you’d secure your NAS containing all the sensitive data? What about DLP, where should that go and should you use endpoint security controls or network security controls?

 

What are your assets? Is it being maintained and updated in real-time by an automated asset management solution or is it manual? Do you even have an asset register? If so, which are your highest risk assets and who owns them? What are the most likely threats to your organization, the most likely vulnerabilities to be exploited, and the potential impact? Is it also feasible to attempt to treat every risk or just the ones unacceptable to the business? How do you know which risks are unacceptable?

WHAT WE DO

All of these questions are answered in an IT risk assessment. Simply put, an IT risk assessment is the identification of vulnerabilities and threats to your information assets used by your business to achieve your objectives and decide what countermeasures, if any, to take in reducing risks to an acceptable level a la an IT risk assessment and risk treatment.

 

The resulting output from an IT risk assessment is an asset register containing a list of assets, their owners, and a respective score based on the criticality of that asset to the business. A risk assessment table containing the risk score for each asset class will also be produced along with an IT risk treatment plan. This ultimately will be the result of both an asset-based and scenario-based risk assessment.

HOW WE DO IT

To accomplish this, we will first determine the scope of your information security management system (ISMS), a set of policies and procedures for systematically managing an organization’s sensitive data. What is the physical scope and logical scope of your ISMS, meaning, what physical locations and IT systems are responsible for processing, transmitting, and storing your company’s “crown jewels” or sensitive data. Once these assets have been identified in their respective departments, we will identify each asset’s owner and document these into an asset register where the assets will be scored based on the impact to the business each asset would have if confidentiality, integrity, or availability of the asset was adversely impacted by an event.

 

The threats and vulnerabilities that each asset class is affected by will be calculated and ultimately will drive the overall risk score to each asset class. Once the threat-vulnerability pairs are identified, a final score will be generated for each asset class that is correlated to the maximum risk tolerance of the business. Any asset class with a score higher than this tolerance will be carried over into a risk treatment plan with prescribed steps on how to treat the risk of that asset class to an acceptable level to the business.

 

If an IT risk assessment and risk treatment procedure doesn’t exist, we will create one based on Brier & Thorn’s methodology, which is rooted in the ISO 27005 standard. While our methodology is based on ISO, we can use other risk assessment frameworks, such OCTAVE and NIST. IT risk assessments are not a “one size fits all” and no matter what model is chosen, should be documented so the risk assessment can be “rinsed and reused” every year. The business should take steps to make sure it’s performed the same way, every time, so the results are generated the same exact way each time a risk assessment is performed for accurately tracking risk management efforts to the business and so the risk over time can be accurately measured as risk treatment plans are put into place.

OUR CAPABILITIES

  1. IT Risk Assessment according to ISO 27005, OCTAVE, HEAVENS, or any other risk assessment methodology used by your business

  2. Development of an IT Risk Assessment and Risk Treatment Policy and Procedure

  3. Asset-based Risk Assessment

  4. Scenario-based Risk Assessment

  5. Risk Treatment