Numerous compliance mandates, including the GDPR, state that risk assessments should be a regular part of your IT security strategy. However, these mandates are often very vague about what they mean by a risk assessment. For example, the GDPR states that organizations must take a “risk-based approach” to protecting the data of EU citizens but doesn’t go into detail about what that might mean.
As a result, IT teams are often aware that regular IT risk assessments are a necessary part of IT security, but don’t know how to approach them in a way that guarantees compliance. It’s best not to think about risk assessments as a necessary step in compliance, and more as a fundamental part of ensuring your data is secure. Risk assessments help you understand where your sensitive data is, who has access to it and what changes are happening around it.
A successful IT risk assessment usually can be broken down into three steps:
- Identify what the risks are to your critical systems and sensitive data
- Identify and organize your data by the weight of the risk associated with it
- Take action to mitigate the risks
In many ways, these three steps are intertwined, but I have broken them up so that we can tackle them more easily.
Step 1. Identify the Risks to Critical Systems and Data
The concept of “risk” is a tricky one to define, as it will differ depending on the criticality of the system or the nature of the data involved. There are numerous factors that go into calculating risk, including what threats you’re facing, how vulnerable your systems are to that threat, and how important the data in question is.
1.1 Identify Threats
The first thing to do is identify the threats you are facing. A threat can be defined as anything that would harm your organization, from an earthquake to complete system shutdown. Threats can take many forms so it’s important to take your time and go through all possibilities. Don’t forget to take into account the treat from within as well, as human error, accidental misuse and malicious insiders account for a drastically high proportion of all security breaches.
1.2 Assess Vulnerabilities
Next, how vulnerable are you to the threats you’ve just outlined? Vulnerabilities are weaknesses that a threat can use to breach your systems and data. Vulnerabilities can be discovered through audits, testing systems and other reviews. How often do you patch and update software company-wide? Are your server rooms easily accessible? How often are passwords changed? How often do employees get security awareness training? These are the kind of questions you should be asking.
Step 2. Identify and Organize Data Based on Risk
One of the most important part of an IT risk assessment is being able to understand where your most sensitive data resides in your IT environment and which files and folders contain the most critical information. If a file contains a name, it counts as Personally Identifiable Information, but on its own it is useless to a would-be attacker. However, if that same file contains a full address and credit card information, suddenly the potential risk of that file being breached has increased dramatically.
Using a third-party tool or the Discovery & Classification functionality of File Server Resource Manager (FSRM), you can discover, tag and classify your unstructured data to find out where it resides, and which files and folders are most critical. Using a free integration between FSRM and LepideAuditor, you can run compliance-ready reports and schedule alerts on any changes to this data.
For each asset you have identified as valuable, you will need to gather information on how you are storing/handling/securing it to provide a better picture of the risks involved (for example, where is it stored? Who has access to it? What policies are in place for securing it? etc.). Order these assets from most critical to least critical depending on the associated cost of losing it.
Step 3. Take Action to Mitigate Risks
After you’ve identified which data is at risk and what those risks are, you need to look at what controls you currently have in place to plug up vulnerabilities. Controls can be both physical and virtual, from security guards to firewalls and auditing solutions.
Once you have all this information you should be in a good place to assess what the likelihood and impact of a security threat could have on your organization. It will mostly be an estimation, but it will be informed by all of the previous work you have done.
Using your assessment of the likelihood of threats, you can suggest what controls you need to put in place as a result. By documenting all the steps and results of your IT risk assessment you can build up a picture of what actions each department needs to take to mitigate threats. Prioritize these actions according to their criticality and you should be able to see a roadmap in front of you towards better IT security and compliance.