By Alan Jackson, CISSP
As mentioned in our article entitled, “The Cyber Team Needs a Quarterback,” the second component in a comprehensive cyber security program is an information/cyber risk assessment. The Securities and Exchange Commission (2008) described this component by saying that a firm must, “Identify in writing reasonably foreseeable security risks that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of personal information or personal information systems”(p. 13696). Despite the importance of this item, firms often gloss over the creation of this element of their cyber security program. Some firms overlook this requirement because cyber threats seem self-evident. Other firms neglect this requirement because they are unaware of the threats to their data. Regardless, it is an invaluable component of your cyber security program. In fact, apart from the program administrator, every other component in your program should originate with your risk assessment.
Let me use an analogy to explain why. Every night before I go to bed, I travel through my house checking windows and doors to ensure that they are locked. I do this to ensure that all the points of ingress into my house are secure. In order for me to secure my house, I must know where all the doors and windows are located. An information/cyber risk assessment is used to identify and list all of the doors and windows that can be used to compromise your data. Identifying risks is the first step to controlling them. And that is why your policies, testing, training, vendor management, program review, and incident response systems are created in response to the risks you identify.
There are different methodologies that you can employ when performing a risk assessment, but NIST suggests the following steps:
- List all possible risks
- Identify the likelihood that the risk could happen if no controls existed
- Identify the possible severity of the consequences if the risk happened
- Create an initial risk rating based on the likelihood and severity of the risks
- List mitigating controls that lower the likelihood or severity of the risk
- Assign a residual risk rating that factors in the mitigating controls
- Further mitigate risks that have an unacceptably high risk rating
The result of this process is an informative document that can drive action, and demonstrate the firm’s due-care. After you have created your risk assessment, you can build and/or evaluate policies and procedures to ensure that they sufficiently lock your doors and windows.
Securities and Exchange Commission (2008). 17 CFR Part 248 – Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information; Proposed Rule. Federal Register, 13692-13719.