SECURITY RISK ASSESMENT

ITC provides ways for you to conduct a security risk assessment in-house.

Anyone who utilizes computer technology knows there is a continual learning curve, whether we are upgrading systems, adding a cyber security strategy, using a new or different application and more.

Learning about risk assessment is important, as this is something YOU can do with the right knowledge and tools.

WHAT TO KNOW FIRST

Why a SRA is critical to adding a cyber security strategy that works best for your systems
The various types of security risk assessments to perform
Suggestions to follow for different types of security frameworks
Things to avoid while conducting a security risk assessment
A procedure for the risk assessment you implement

Know and prioritize your security risks, so you can address the highest threats first.

Learn in a security risk assessment what you should do to start the process.

WHY SRAs ARE IMPORTANT

A successful cyber attack can cause substantial financial damage and mar your company’s reputation. A business could stand to lose clients and intellectual property while incurring increased insurance premiums, and the list goes on.

The pandemic gave cyber criminals new opportunities to hack company networks and cloud systems.

WHY? More employees began working remotely, which forced businesses to add new online systems that support a remote employee workforce. The number and size of cyber attacks has been staggering ever since.

Companies have had difficulty keeping up with security challenges, as IT departments and staff dwindle. Did you know in 2020, 23 percent of small businesses suffered at least one cyber attack costing a minimum of $25,000 or more.

Hackers are tireless and more sophisticated, which is WHY companies need to conduct a SRA of their currents systems, regularly.

5 TYPES OF SRAs

SRAs need to be comprehensive and address a broad range of issues, from location and data to infrastructure security, including employees damaging data or systems

PHYSICAL

How easy can people get physical access to your system?
Do you have security at the entrances of your building?
Do you log visitors?
Are security cameras in sensitive locations?
Do you have biometric locks on your server room?

Physical assessments help you evaluate the ease with which someone can gain physical access to your critical systems.

How Networks Get Hacked

SRA PROCESS IN 8 STEPS

MAP YOUR ASSETS

Create a complete map of of vulnerable assets
Include all applications, users, processes and data storage containers
Log and track each asset in a centralized database, which can be easily updated
Assign each asset a value and map data flow
Build a data flow diagram to learn where vulnerabilities are in the network
Categorize data by access levels
- Public
- Confidential
- Internal Use Only
- Intellectual Property
- Compliance Restricted Data

IDENTIFY SECURITY THREATS

Vulnerability scanning combs through a network and applications to identify a systems susceptibility to a threats
Scan results categorized by severity allows an IT team to prioritize remediation efforts.
This analysis identifies administration and configuration risks and evaluates your current state of security to establish standards
Penetration testing can identify previously unknown vulnerabilities and tell you how difficult it is to access your systems and potential damage that would occur from a successful attack

DETERMINE/PRIORITIZE RISKS

Assessments will identify more risks than you can manage initially
Prioritize by giving each vulnerability risk a rating, so you can prepare remediation plans
Prioritization allows you to create a budget to address the impacts of each vulnerability, calculate on a yearly basis
A remediation budget should include costs of employees allocated to security efforts

ANALYZE/DEVELOP SECURITY CONTROLS

Physical security controls include access to corporate assets
Biometric or coded locks
Security cameras
Guards
Administrative security controls include corporate security policies, practices and workflows
Technical security controls apply technological resources to address risk
Firewalls
Encryption
EDR
These controls can be divided by function to detect, prevent, correct or compensate for threats.

DOCUMENT RESULTS FROM RISK ASSESSMENT REPORT

Risk assessment reports compile results for a concise threat ranking, which help you prioritize
Create a risk matrix to compare different levels of exploitation against the severity of damage from a successful attack

CREATE A REMEDIATION PLAN TO REDUCE RISKS

Create a plan using your risk ratings
Include basic, high-level steps for each remediation process and associated costs
Compare remediation cost to potential cost of an attack to narrow your preferred control
Cost include monetary expenditures, time it take to implement solutions and daily business disruptions

IMPLEMENT RECOMMENDATIONS

Take action
Assign remediation plan to appropriate team
Include realistic time frames for completion
Monitor effectiveness of efforts and needed reporting workflows

EVALUATE EFFECTIVENESS AND REPEAT REGULARLY

Risk assessments are ONGOING processes, which require monitoring and optimization
Conduct regular internal audits to assure efforts are a success
Repeat evaluations to make sure security has improved

THINGS NOT
TO DO
IN A
SRA

Don’t delay – every second of procrastination exposes you to attacks, breaches, liabilities and costs

Don’t get tunnel vision – consider physical threats and human risks

Don’t ignore your goals – a risk assessment is to properly allocate manpower and financial resources to deploy the action plan

Don’t begin in the middle – begin with proper inventories and data flows, do not assume you know the risks

Don’t rely on automated tools – rely on internal security experts and external providers to help you understand the results these tools generate

Don’t do it just once – a remediation plan is ongoing and will not be successful if only done one time

Book Appointment