Small and midsized businesses face many of the same information security risks that large enterprises face. The recent Gawker Media data breach serves as proof that even SMBs can be the victims of sophisticated targeted attacks. To that end, companies of all sizes should follow a security risk assessment process to identify, categorize and mitigate risks.
There is a plethora of good books, white papers, frameworks and methodologies that highlight necessary steps to help organizations ensure they have a sound information security risk management plan in place. In addition to all this published material, there are many companies willing to go through the IT security risk assessment process with you to help you measure, and in some cases reduce, your risks and exposures. But the issue for most small to midsize organizations is they don't have the time, resources or money to hire a consultant to conduct a risk assessment and produce a risk management plan.
So how should small to midsize organizations develop their own risk management plan? My recommendation is to follow the steps below to build an understanding of where their IT assets may be exposed and then create a plan to address the gaps.
1. Assess information and infrastructure scope
In this first step, you are identifying the scope of the information systems along with the hardware and software resources and the data that makes up your environment. When looking at the infrastructure, it is important to focus on the critical systems (billing, CRM, HR, legal, knowledge repository, etc). When looking at the data, focus on the "data of concern," including personally identifiable information, HR data, intellectual property, etc.
2. Understand threats and vulnerabilities
Review the threats that face your organization. (These may vary based on your geographical location and your industry.) A threat is the potential for a particular threat-source to successfully exploit a particular vulnerability. List the hardware and software vulnerabilities that exist within your environment. Consider both intentional and unintentional threats. For example, an unintentional threat may be incorrect data entry, while an intentional threat may be a targeted attack via the network or a malicious software upload. The result of this step should be a list of threats with an understanding of their associated vulnerabilities.
3. Estimate the impact
During this step, forecast the adverse impact that could result if each potential threat actually occurred. The adverse effects of a security event can be described in terms of loss or degradation, or a combination of the following three security goals:
With these goals in mind, classify the magnitude of the impact. One way to do this is to use a high, medium or low classification, where high has an immediate, critical business impact and low has a relatively limited impact.
4. Determine the risk
Determine the risk for a particular threat/vulnerability in terms of:
- The likelihood of a threat source successfully exploiting a vulnerability
- The magnitude of the impact of a threat source successfully exploiting a vulnerability
- The adequacy of existing security controls for reducing, mitigating or eliminating the risk
During this stage, you should create a risk-level matrix of the risks and the effects (that you classified in step 3.) Again, you can use a high, medium or low classification. A simple starting point is a 3x3 matrix examining threat risks and threat impacts. A sample matrix is shown in figure 1, which includes example threats and possible impact and threat classifications. This matrix will be the foundation of your IT security risk assessment report.
|Customer portal behind on system patching by two versions||High||High|
|Internal billing system has a known software vulnerability||High||Medium|
|General business admin server needs software version update||Low||Low|
|Access control on a development server has not be updated in 12 months||High||Medium|
While this matrix is hardly comprehensive, I have found few companies that have conducted a security risk assessment process like this to help understand IT risk and vulnerabilities.
5. Plan the controls
During this final step, outline the possible controls that could mitigate or eliminate the identified risks. The goal of the recommended controls is to reduce the level of risk to the IT environment to an acceptable level. These controls can range from people, policy and procedure changes, to new configurations, procurements or the implementation of new technology.
With these five steps, you will have completed a basic IT security risk assessment process. Be sure to share your results with the key decision makers in your organization. They can assist in making an informed business decision about prioritizing your planned controls to reduce risk to an acceptable level. While IT and information security professionals may provide options to mitigate the risks, ultimately it is a business decision and not an information technology / information security decision that is required.
About the author:
Robbie Higgins is vice president of security services at GlassHouse Technologies.
How to create a compliance, audit program
Ways to measure security, risks, threats and vulnerabilities