Businesses are faced with the growing demand—and challenge—of creating and operating solid security programs. The risk assessment process necessary to begin this undertaking is the cornerstone in creating a strong information security program. Properly managed risk assessment provides an organization with insight into the security posture and thus, enables organizations to make informed security decisions. But do technology program owners have insight into technology risks and practices? Do they know how to stay “out of the headlines?” The majority of technology owners focus on securing data within datacenter walls but many have no clear understanding or focus on threats and issues that exist outside those walls. What measures are in place to deal with breaches, stolen data, hacker attacks, and theft? What people, processes, and technologies are needed to address these and other external factors?
One of the largest challenges facing technology owners when trying to secure their organization is vision. Without properly enumerating all of the processes, technologies, stakeholders and the associated risks, it is nearly impossible to design and implement proper controls. The makeup of even a small- to mid-sized healthcare organization can comprise of hundreds, or even thousands of constituents. When you add in all the processes and technologies these constituents rely on, it can be mind-boggling! If clear vision can be established then control, design, implementation, and information security decision-making become easier and the risks posed to protected information assets are decreased significantly.
The risk assessment process reviews existing administrative, technical, and physical controls both within and outside of an organization’s walls. Risk assessment includes analyzing against a best practice framework, and quantifying risks and gaps to create a program roadmap. Properly followed, the outcome of this process is a comprehensive assessment of an organization’s security program, an actionable set of recommendations, and a clear roadmap and plan for remediation. Risk assessment “done right” will ensure the organization is secure on the inside as well as the outside because it aligns both compliance and business drivers that are key to the organization’s security and regulatory compliance posture. A phased approach to risk assessments would include:
There are a multitude of drivers and objectives in every organization and identifying these early in the risk assessment process will ensure the results are a tailored fit for the organization. Fiscal responsibility, staffing, regulatory drivers, business objectives, and operational drivers are “must have” knowledge when conducting a risk assessment. The Discovery phase is where all this information, as well as any existing documentation pertinent to people, process, and technology is collected. Once documentation is collected, it is critical to sit down with each data owner or responsible person to understand the processes and information lifecycle. This should be the longest phase of the assessment process. Ensuring all information is collected, and the processes and process drivers/objectives are understood, will provide the groundwork for a solid risk assessment with optimal value.
Key elements to Discovery:
· Gather existing documentation (policies, procedures, diagrams, & other business and infrastructure documentation)
· Identify key stakeholders; determine organization goals and objectives
· Utilize Interviews/Workshops to identify existing controls, processes, technologies used
The Assessment phase is where all the collected information is analyzed and quantified using a chosen framework. There are many recognized frameworks available, most notably those provided by the International Standards Organization (ISO), National Institute of Standards & Technology (NIST), and the Information Systems Audit & Control Association (ISACA). Most recognized frameworks are agnostic or driven by regulation; consequently, the recommended path to a comprehensive assessment would be a “best of breed” approach. A “best of breed” approach allows the organization to first map to a recognized framework, then to map applicable regulatory drivers to that framework so that regulatory compliance can be something that is painlessly monitored and reported. Once a framework is chosen, the information collected is compared against the control objectives or statements within the framework, which will result in a quantified current state of the organization’s security and compliance posture.
Key elements to Assessment:
· Review documentation and interview/workshop notes to identify gaps
· Compare organization security posture to framework to quantify risk
The output of the assessment phase will be a pointed list of the good, bad, and ugly of the organization’s security posture. During the Recommendation phase it is important to align these gaps and weaknesses with the drivers and objectives identified in the Discovery phase and draft the applicable recommendations to close the gaps and correct any weaknesses. Recommendations should be phased according to several categories: Tactical (6-8 Weeks,) Mid-Term (2-6 Months,) and Strategic (6-18 Months and longer.)
Phasing recommendations this way will ensure “quick fix” and “low effort” items can be remediated immediately while longer term items involving purchasing technologies or re-engineering processes can be well planned and involve all the proper stakeholders.
Key element to Recommendations:
· Document all findings and make actionable and prioritized recommendations to impact the organization’s security posture
Once all recommendations are drafted they should be reviewed with business units and stakeholders to ensure they are suitable and aligned with the business vision and operations.
Key element to Review:
· Review all findings and recommendations with business and technical leaders to ensure recommendations are suitable for the organization and align with business objectives
Implementing a phased approach to risk assessment is the most effective way to impart vital information to key stakeholders to ensure protection of critical information assets. If security initiatives are not correctly aligned with business drivers, the program will become tactical in nature and ultimately fail. A security program needs to be strategic and evolve with updated standards and legislation, organizational goals, and emerging technologies. A risk assessment needs to go beyond regulatory expectations to ensure an organization is truly protecting its sensitive information assets. Utilizing a best of breed or best practices framework will enable the organization to complete a risk assessment that will identify security gaps and control weaknesses rather than only focus on regulatory gaps. In other words, if information assets are secured rather than simply compliant, emerging legislation will become a check-box rather than a tactical financial black hole!