How To Conduct A Security Risk Assessment
Posted by Superadmin on September 09 2022 16:50:46

 

 

 

 

 

How to conduct a security risk assessment
 

How To Conduct A Security
Risk Assessment

 

Learn how PurpleSec’s experts can help assess your organization’s cyber security risk.

 
  
 

AuthorJosh Allen / Last Updated: 5/21/22

Reviewed byMichael Swanagan, CISSP, CISA, CISM,  Seth Kimmel, OSCP & Rich Selvidge, CISSP

View ourEditorial Process

 
  
 

  Table Of Contents

 

There are 8 steps to conducting a security risk assessment including mapping your assets, identifying security threats and vulnerabilities, determining and prioritizing risks, analyzing and developing security controls, documenting results, creating a remediation plan, implementing recommendations, and evaluating effectiveness. 

 

JUMP TO STEPS 

 

What You’ll Learn

 

  • Why a security risk assessment is a critical component to any cyber security strategy.
  • The different types of security risk assessments businesses might want to perform.
  • Examples of security frameworks and suggestions on which you should follow.
  • Common pitfalls to avoid when performing a security risk assessment.
  • A step-by-step breakdown of the risk assessment process that you implement today.
 

The pandemic gave threat actors many new opportunities to try and infiltrate company networks and cloud systems.

 

As more employees moved to remote working arrangements, businesses had to quickly bring new systems online to support their remote employees.

 

The size of attack surfaces increased rapidly, and, given the substantial talent gap for cyber security professionals, companies struggled to keep up.

 

free IT and cyber security policy templates for 2022

 

The resulting increase in the number of cyber attacks was staggering.

 

Phishing schemes proliferated, with threat actors preying on people looking for vaccine information and updates on government support payments.

 

 

 

 

Ransomware attacks exploded, with several high-profile attacks, including Colonial Pipeline, the Kaseya data breach, JBS Meats, SolarWinds, and Accellion to name a few.

 

With threat actors becoming ever more sophisticated and ever more tireless in their efforts, companies need to take the time and review the security of their current systems.

 

An important step all businesses must take is conducting a security risk assessment.

 

What Is A Security Risk Assessment?

 

A security risk assessment identifies, evaluates, and prioritizes potential vulnerabilities to various information assets (i.e., systems, hardware, applications, and data) and then prioritizes the various risks that could affect those vulnerabilities.

 

The primary purpose of a risk assessment is to inform decision-makers about vulnerabilities in corporate systems, allowing them to take preemptive defensive actions and prepare effective risk responses.

 

The assessment also provides an executive summary to help executives make informed decisions about ongoing security efforts.

 

Security risk assessments also indicate to management areas where employees need training to help minimize attack surfaces.

 

Risk Assessment VS Risk Management

 

While it may seem that these concepts are self-explanatory, it is important for executives and management to understand their differences.

 

A risk assessment is primarily proactive.

 

It involves testing your current infrastructure and identifying weaknesses and vulnerabilities.

 

Risk assessment is an important prerequisite for effective risk management.

 

Risk management can be proactive or reactive.

 

The primary goal of risk management is to reduce risk by continuously applying best practices.

 

Risk management includes a wide range of activities from managing and updating infrastructure to applying identity management policies to training employees on proper password hygiene.

 

Unfortunately, even with strong risk assessment and proactive risk management, some attacks are likely to succeed.

 

Reactive risk management focuses on minimizing the damage of these successful exploits and facilitating rapid recovery.

 

Examples Of Security Risk Assessments

 

Think about a healthcare organization working to distribute COVID vaccines.

 

As part of their work, they are collecting massive amounts of patient information that is subject to the HIPAA Security and Privacy Rules.

 

How can this organization ensure their security efforts are HIPAA-compliant? A HIPAA security risk assessment will identify areas of vulnerability and set the stage for implementing controls and remediation procedures.

 

The chart below is an example of issues identified in a HIPAA risk assessment, from physical vulnerabilities to firewall configuration issues.

 

conduct hipaa risk assessment

 

A more basic and comprehensive security risk assessment any organization can consider, regardless of its industry, is compliance with the Center for Internet Security Critical Security Controls for Effective Cyber Defense (CIS Top 18).

 

The Top 18 are CSCs (Critical Security Controls) that companies should utilize to block or mitigate known attacks.

 

Another compliance standard that can serve as the basis for a security risk assessment is ISO/IEC 27001, an international standard on information security management.

 

ISO/IEC 27001 details processes for assessing, controlling and mitigating security risks.

 

There are many other standards that companies should know and address, many of which are specific to particular industries.

 

For example, government contracts must comply with NIST 800-171, while e-commerce businesses should have PCI-DSS-compliant payment systems.

 

How PurpleSec Helps To Secure Your Organization

Our vulnerability management services and penetration testing services provide a holistic approach to securing what’s most important to you.

 

Why Are Security Risk Assessments Important?

 

The answer is simple. Successful attacks can cause substantial financial and reputational damage.

 

23% of small businesses suffered at least one cyber attack in 2020, with an average annual financial cost of over $25,000.

 

And this estimate is lower than many others.

 

But the initial financial costs of dealing with breaches are just one aspect of the damage.

 

Companies also can suffer lost clients, loss of reputation, loss of intellectual property, and increased insurance premiums, among other effects.

 

The costs of proactive risk assessments are minimal when compared to the damage of a successful attack. And the associated benefits more than offset those upfront costs.

 

Identify Security Gaps

 

Many companies are simply uninformed on even the basics of cybersecurity. More simply put, they don’t know what they don’t know.

 

Risk assessments help identify security gaps at all levels, from physical security to high-level malware detection and removal.

 

They also prevent spending unnecessary money by focusing on the top security controls and prioritizing security risks.

 

Reduce Long Term Costs

 

This goes far beyond comparing the cost of the assessment to the cost of a later breach. Risk assessments also show companies how to prioritize their security spend to minimize long-term costs.

 

Just take a look at the HIPAA risk analysis chart again.

 

Many company executives would not think that A/C maintenance is a cyber security risk.

 

But a $3,000 investment in updating the air conditioner could save the company $10s of thousands down the road.

 

And the faster companies take action, the more cost-effective their efforts can be.

 

Indeed, the White House recently urged corporate executives to take immediate action to assess their systems and take all steps necessary to prevent cybercrimeransomware attacks in particular.

 

Mitigate & Protect Against Breaches

 

To be effective, risk assessment reports must be actionable.

 

That is, they must contain specific recommendations for remediation activities.

 

Assessment reports must tell companies how to harden their systems by filling security gaps.

 

It is equally important that reports identify issues that appear problematic at first glance, but which are so unlikely that they require no action.

 

Help Budget Future Security Initiatives

 

Security risk assessments set the baseline for a company’s ongoing cybersecurity efforts.

 

By prioritizing identified gaps, they help companies create detailed plans for corrective actions.

 

And with detailed plans in place, companies can then set realistic budgets for their IT and cyber security teams.

 

They can also take rapid steps to address staffing shortages, which can take time given the current cyber security talent gap.

 

Increases Employee Security Awareness

 

Poor security practices among employees create significant vulnerabilities for businesses.

 

Building a corporate culture focused on cybersecurity is essential.

 

Risk assessments help identify areas where companies should provide employees training to mitigate future risk.

 

Unless employees know what they are doing wrong and why it is important to correct their actions, they will remain easy attack targets.

 

IT Security Policy Template download

 

What Are The Different Types Of Security
Risk Assessments?

 

Comprehensive risk assessments cover a broad range of potential issues, from location security to infrastructure security to data security to the risks of employees misappropriating or damaging data or systems.

 

Physical Security Assessment

 

How easy it for people to get physical access to your systems?

 

Do you have security at the entrances to the building?

 

Do you log visitors?

 

Are there security cameras in sensitive locations?

 

Do you have biometric locks on your server room?

 

Physical security assessments, including physical penetration testing, evaluate the ease with which a malicious actor can gain physical access to your critical systems.

 

IT Security Assessment

 

What is the state of your IT infrastructure? What network level security protocols do you have in place? How are you ensuring compliance with shared security responsibilities in cloud services?

 

IT security assessments investigate the overall health over your IT infrastructure and communications pathways.

 

They identify broad system vulnerabilities that are not specific to particular applications or data storage facilities, as well as misconfiguration issues that frequently leave companies open to attack.

 

Data Security Assessment

 

Is company data subject to least privilege and/or zero trust access controls?

 

Do you use network segmentation to limit data access?

 

Do you have strong identity management processes?

 

Data security assessments consider the ease and breadth of access to corporate data.

 

They identify areas where companies should apply new controls to restrict access to data on an as needed basis.

 

Read More9 Data Security Strategies & Best Practices For 2022

 

Application Security Assessment

 

Do company applications conform to security-by-design and privacy-by-design principles?

 

Have you performed white and black box testing of your applications?

 

Is application access subject to least privilege control?

 

Application security assessments consider application vulnerabilities at every level from the code itself to who has access to the applications.

 

They allow companies to strengthen their applications and limit access to that needed for employees to perform their jobs.

 

Insider Threat Assessment

 

Many, if not most, attacks arise from insider threats. However, many companies do not realize that insider threats go beyond employees that are intentionally trying to steal information or damage systems.

 

First of all, insider threats are not limited to people. They can include unapproved hardware that is not subject to a BYOD policy. They can also include outdated hardware.

 

Insider threats also need be neither intentional nor malicious. Negligence and unintentional threats can cause just as much harm as intentional ones.

 

A perfect example is using “password” as your password.

 

An increasingly common insider threat that many companies do not recognize is the advanced persistent threat (APT).

 

APTs, which are often used by state-sponsored cybercriminals or corporate espionage professionals, are long-term, targeted network insertions.

 

Often, careless or uninformed employees are the attack vector for an APT, with phishing emails being one of the most common ways attackers get access to company networks.

 

Essentially, the APT remains undetected in company systems for so long that it becomes an insider.

 

 

 

 

There are various types of penetration testing to assist in each security assessment.

 

What Security Risk Assessment Framework
Should You Follow?

 

To answer this question, you must first determine your goals for the security assessment.

 

If you want to conduct a broad, general assessment of your organization’s security posture, then you should look to one of the more generic frameworks such as the CIS top 18.

 

CIS top 18 assessments are also useful for small and medium businesses and companies with limited security budgets.

 

More mature or well-funded companies may consider using ISO 27001 or NIST 800-171 as the basis for their security assessment efforts.

 

If the goal is compliance, then you are more likely to consider industry-specific requirements, such as the HIPAA assessment described above.

 

And how you move forward with the assessment may depend on where you fall within the groups that HIPAA applies to.

 

For instance, data processors may have different security considerations than healthcare clearing houses.

 

E-commerce businesses and other companies that accept online payments may want to conduct assessments focused on their compliance with the Payment Card Industry Data Security Standard (PCI-DSS).

 

The ability to offer secure payment systems is essential to online business.

 

But once again, your needs will vary depending on whether you are a data holder, a data processor or both.

 

Defense contractor or government supplier?

 

Then you need to have Cybersecurity Maturity Model Certification (CMMC).

 

CMMC requirements are similar to NIST 800-171, although there is third-party auditing and certification rather than self-certification.

 

Even if your industry has no specific cyber security requirements, you should consider becoming compliant with some of the standards set out above.

 

How PurpleSec Helps To Secure Your Organization

Our vulnerability management services and penetration testing services provide a holistic approach to securing what’s most important to you.

 

The 8 Step Security Risk Assessment Process

 

Security risk assessments involve a detailed and iterative process.

 

Your security assessment plan begins with understanding exactly what resources your organization has.

 

Once you have built a thorough and complete inventory, you can begin to identify each resource’s vulnerabilities and implement appropriate security measures to rectify the vulnerabilities or protect them against exploits.

 

  1. Map Your Assets
  2. Identify Security Threats & Vulnerabilities
  3. Determine & Prioritize Risks
  4. Analyze & Develop Security Controls
  5. Document Results From Risk Assessment Report
  6. Create A Remediation Plan To Reduce Risks
  7. Implement Recommendations
  8. Evaluate Effectiveness & Repeat

 

Step 1: Map Your Assets

 

map your assets - security risk assessmentWithout a thorough understanding of your organization’s assets, security efforts will always be lacking.

 

Therefore, the first step in any effective security risk assessment is to generate a complete map of potentially vulnerable assets.

 

Asset maps require more than identifying hardware in use.

 

You must also include all applications, all users (whether human or processes) and all data storage containers because each of these contributes to your overall attack surface.

 

You should log and track each asset in a centralized database that you can quickly and easily update.

 

For users, you need to have a centralized system for assigning and managing all users and their respective permissions, for instance, an Active Directory system.

 

After completing your asset inventory, you should assign each asset a value and map data flows among your various resources.

 

Building data flow diagrams allows you to understand better where weak points and vulnerabilities exist in your network.

 

As part of assigning value to your assets, you should categorize your data by access levels.

 

Example categories include:

 

 

Data flow analyses should include what data is stored where and which users have access to what data.

 

User is a generic term that can include any person, program or process with access to corporate data storage.

 

In addition to identifying all internal assets, you must also identify and track connections to and data sharing with third-party providers, whether infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), software-as-a-service (SaaS), or other type of service provider.

 

Third-party data flow assessments are particularly important for compliance with worldwide data privacy laws and regulations.

 

Building data flow maps, whether internal or with third-party providers, requires that you know:

 

 

Step 2: Identify Security Threats & Vulnerabilities

 

Identify Security Threats & Vulnerabilities - security risk assessmentHaving built your asset inventory, you can now begin to identify vulnerabilities and threats for each asset.

 

There are many tests and risk assessment software tools available to help you in this process.

 

For example, vulnerability scanning investigates your network and applications to identify susceptibility to known threats.

 

Having scan results categorized by severity allows your security team to prioritize remediation efforts.

 

Security gap analyses compare your current state of security readiness to established standards, such as CIS Top 18, CMMC or PCI/DSS. These analyses help you identify administration and configuration risks.

 

Penetration testing takes vulnerability and threat assessment to the next level.

 

By replicating actual attacks on your systems, pen testing can both validate the results of your vulnerability scans and security gap analyses and pinpoint previously unidentified vulnerabilities.

 

Pen testing also tells you more than whether a vulnerability exists and can be exploited.

 

It lets you assess how difficult it is to access your systems, as well as the scope of access and potential damage from a successful attack.

 

You will calculate a risk rating for each vulnerability that indicates the likelihood and impact of an exploit.

 

For known vulnerabilities, public information will give you a good sense of how easy it is to exploit the vulnerability, including whether there are already public tools designed to exploit the vulnerability.

 

For other vulnerabilities, pen testing can help you determine the likelihood of an exploit.

 

You also want to assess the potential impacts for each vulnerability:

 

 

Coupled with your categorization of data and asset valuations, vulnerability testing allows you to assess the likelihood that attacks will compromise high-value targets, as well as your potential liability if they are.

 

Step 3: Determine & Prioritize Risks

Determine & Prioritize Risks - security risk assessmentVulnerability and security threat assessments will invariably identify more risks than you can address at once.

 

Therefore, when following your risk assessment procedures, your next step is to prioritize risks by giving each vulnerability a risk rating so that you can prepare your remediation plans.

 

Prioritizing your remediation responses involves assessing your overall remediation budget against the risks and impacts of each threat or vulnerability.

 

For example, you may decide to prioritize vulnerabilities that affect medium-value assets if the likelihood of exploit and damage potential is much more significant than for higher-value assets.

 

Costing remediation efforts should include the costs of employees allocated to security efforts.

 

For example, you can expect to pay a back-end developer with IT security training roughly $80 an hour in the United States.

 

If you divert them from their everyday tasks to address risk remediation, this involves an additional cost for the company.

 

You should continuously update your risk prioritization and calculate the associated remediation costs on an annual basis.

 

Step 4: Analyze & Develop Security Controls

Analyze & Develop Security Controls - security risk assessmentFor any given vulnerability, there are several types of security controls you may consider.

 

The primary security controls are:

 

 

Each of these controls can be further divided by function, that is, by whether they detect, prevent/deter, correct or compensate for threats and vulnerabilities.

 

Once you determine the appropriate controls for each vulnerability, you can then develop specific remediation plans.

 

Step 5: Document Results From Risk Assessment Report

Document Results From Risk Assessment Report - security risk assessmentEffective risk assessment reports will condense the results of the various threat and vulnerability assessments in a concise threat ranking that show you a visual prioritization of your remediation plan.

 

One effective way to represent your risk prioritization is using risk analysis templates, for example, a risk matrix.

 

The risk matrix compares various levels of likelihood of exploitation against the severity of the damage from a successful attack.

 

As the likelihood of exploitation and value of attack increase, vulnerabilities increase in priority and move higher in the remediation plan.

 

Step 6: Create A Remediation Plan To Reduce Risks

Create A Remediation Plan To Reduce Risks - security risk assessment

Now that you have determined risk ratings and the order in which you will address vulnerabilities, you can begin creating your detailed vulnerability remediation plan.

 

This should include the basic, high-level steps for each remediation process and the associated costs.

 

If you still have several options for a given vulnerability, you should perform a cost/benefit analysis.

 

Comparing the cost of remediation against the potential cost of a successful attack can assist you in narrowing down to your preferred control.

 

Costs are not limited to monetary expenditures; they can also include the time it takes to implement a solution and the disruption to the business.

 

For example, applying software patches may have little overall cost for an organization, but it can be disruptive if done during business hours.

 

Step 7: Implement Recommendations

Implement Recommendations - security risk assessmentIt’s finally time for action.

 

Your security team should now assign each item in the remediation plan to the appropriate team.

 

Assignments should include realistic time frames for completion.

 

In addition, you should indicate steps that teams should take to monitor the effectiveness of their remediation efforts, as well as any necessary reporting workflows.

 

As part of your remediation efforts, you should consider proactive risk responses such as Managed Detection and Response (MDR) solutions or Security Information and Event Management (SIEM) solutions.

 

Your choice among proactive risk response solutions may depend on whether you want to keep your efforts internal (SIEM) or whether you want to rely on external providers (MDR).

 

Experienced external providers can also help you build your SIEM processes, even if you control them internally.

 

Step 8: Evaluate Effectiveness & Repeat

Evaluate Effectiveness & Repeat - security risk assessment

Risk assessments are never static processes.

 

They require ongoing monitoring and optimization. As the old saying goes, rinse and repeat.

 

Internal audits are one way to evaluate whether remediation efforts are working.

 

You can also repeat your risk evaluations and gap analyses to verify that your actions have improved your security posture.

 

Another very effective test of remediation efforts is the so-called “Blue Team” exercise.

 

 

 

 

Blue Team is your internal defensive group responsible for performing security threat assessment, creating and implementing remediation plans and managing incident response.

 

In contrast, Red Team represents attack vectors, for example, by conducting penetration testing.

 

Blue Team exercises are widely varied and can include anything from performing domain name server audits to tracking individual user activity to identify anomalous actions to putting firewalls and anti-virus programs in place.

 

Blue Teams should also police compliance with company security policies.

 

As with all business processes, once you identify a flaw or fault, you must correct it and restart the process.

 

Constantly updating your risk analyses and improving your remediation plan is the best way to make sure you are well-protected against threats.

 

Common Pitfalls To Avoid When
Performing A Security Risk Assessment

 

To get the most out of your security risk assessments, you should be aware of the most common errors organizations make when conducting them.

 

If you understand the process and its structure, you will easily avoid these problems.

 

Don’t Delay

 

Every second you lose in placing proper controls and remediation plans in effect exposes you to attacks, breaches, and potential liability and costs.

 

Don’t Get Tunnel Vision

 

Frequently, organizations think security risk assessments focus only on electronic assets and resources.

 

Do not neglect to consider issues such as physical threats and human risks.

 

Don’t Ignore Your Goals

 

The reasons you are conducting a risk assessment help you properly allocate manpower and financial resources to the assessment.

 

Keeping within scope is also more cost-effective than doing broad-brush assessments with no specified end goal.

 

Don’t Begin In The Middle

 

Do not assume you already know the risks and immediately start planning remediation.

 

Beginning with proper inventories and data flows is key to having effective remediation efforts.

 

Don’t Rely On Automated Tools

 

While you will need to use tools to complete your assessments and implement remediation plans, you should not neglect the human factor.

 

Instead, rely on both your internal security experts and external providers to help you fully understand the results the tools generate.

 

And rely on your C-suite to build the necessary culture of cybersecurity, including training employees in basic cybersecurity practices that serve as the best foundation for ongoing security efforts.

 

Don’t Do It Just Once

 

Your efforts will not be successful if you run a risk assessment once, implement a remediation plan and then stop.

 

Threat actors are constantly evolving, and you need to update your assessments continually to keep pace with them.

 

sample penetration test report pdf template

 

Frequently Asked Questions

 

 How Do You Prepare For A Security Risk Assessment?

You should take several preliminary steps before conducting a security risk assessment.

 

First, identify the purpose, scope and goals of the assessment, as well as any standards that you will use as a baseline.

 

Second, identify all the key players in your organization that will participate in the assessment.

 

Third, carefully select your assessment provider.

 

Finally, set your desired timeline for completing the assessment.

 Are Security Risk Assessments Required?

Unfortunately, the answer is “It depends.”

 

Perhaps your industry has requirements, or you work with a partner that requires security assessments (e.g, CMMC).

 

Or maybe you are subject to specific regulations like the HIPAA Security Rule.

 

Or you may be concerned about compliance with privacy laws like the California Consumer Privacy Act.

 

But even if security risk assessments are not required, it is a good business practice to conduct them.

 How Often Should A Security Risk Assessments Be Performed?

It depends on the nature of your business and the security requirements within your industry.

 

HIPAA, for instance, requires periodic evaluation of security measures, although it does not define the period.

 

As a best practice, PurpleSec recommends performing a security risk assessment at least annually.

 

You should also conduct security assessments when there are significant changes to the laws and regulations that affect your business, as well as when you make changes to your networks, systems or external providers.

 

Acquisitions and mergers are also excellent opportunities to revisit your security assessments.

 How Long Does It Take To Conduct A Security Risk Assessment?

The time necessary to complete a security risk assessment can range from several days to several weeks or months.

 

Several factors impact the time it takes to conduct a risk assessment, including:

 

  • The scope of the assessment
  • The size of your organization and the number of systems involved
  • The number of tests in the assessment
  • The tools or providers used in performing the assessment

 Who Is Responsible For Security Risks?

Every single member of your organization has some degree of responsibility for security, although the buck stops at the C-suite.

 

It is crucial to train employees on security policies and procedures so that they can adequately fulfill their security roles.

 

It is equally crucial for the C-suite to lead by example with respect to security – setting, following and enforcing policies that build an organizational culture focused on security.

 

Organizations must also remember that when they use external service providers (IaaS, PaaS, SaaS or others), there is always some degree of shared responsibility for security.

 How Much Does A Security Risk Assessment Cost?

Just as with timelines, the costs for a security risk assessment can vary substantially, ranging from several thousand dollars to tens of thousands of dollars.

 

Factors that affect the cost of a security risk assessment include:

 

  • The scope of the assessment
  • The number of tests to be run
  • The number of systems and users involved
  • The speed with which the assessment must be completed

 

While security risk assessments are not cheap, their cost is invariably much less than the cost of a breach.

 What’s The Difference Between A Security Risk Assessment And A Threat Assessment?

A risk assessment is more comprehensive than a threat assessment.

 

Threat assessments identify things that can exploit vulnerabilities, including malicious external actors, inside actors and even unintentional actors.

 

Risk assessments identify all assets, their associated vulnerabilities, the threats that can exploit those vulnerabilities, and, importantly, the damage to assets and the company resulting from a successful exploit.

 What’s The Difference Between A Security Risk Assessments And A GAP Analysis?

A gap analysis is just one piece of an overall security risk assessment.

 

security gap assessment focuses on administrative controls and configuration concerns, compares an organization’s current security posture to one or more security standards.

 What Security Risk Assessment Tools Are Available?

There are a wide range of risk assessment software tools available that can facilitate many of the risk assessment process steps.

 

Among these are network scanners, protocol scanners, web application scanners, attack simulation tools, penetration testing tools and more.

 

In addition, if you use third-party experts for your risk assessments, they may have their own proprietary testing tools.

Can A Security Risk Assessment Prevent Or Mitigate A Ransomware Attack?

Ransomware attacks cost businesses $20 billion in 2020, so it is natural to seek unfailing defenses against them.

 

While there are no tools that can completely prevent ransomware attacks, security risk assessments followed with strong remediation efforts can strengthen your systems against such attacks.

 

Moreover, security risk assessments can help you identify processes and procedures to put in place to mitigate the effects of a ransomware attack, including setting up redundant backups.