To be able to fully understand how secure (or not) your data is, it’s important to have a structured, formal approach to assessing and reducing risk. Most models for assessing and managing risk are fundamentally flawed and, in general, IT departments have struggled to adopt stringent risk assessment practices.
Large organizations may have dedicated teams in place to regularly assess their risk but, to be fair, our experience shows us that both large and small organizations are still failing to identify where their risk lies.
Getting started on a risk assessment can be a daunting prospect, but there are many options available to you, including the often cited NIST SP 800-30 (a spreadsheet-based tick-box model). At Lepide, we offer a free IT risk assessment for those organizations looking to understand where their areas of data security weakness are.
In this blog we’ve gathered our experience from running numerous successful risk assessments to determine what we believe are the key things to focus on for a successful project. If you would like to know in more general terms how to perform an IT risk assessment, we’ve written a separate blog on that topic as well.
Define the Key Performance Indicators
We’ve found it very helpful to define the key performance indicators you are looking for before starting your risk assessment. If you were to take a data-centric approach to your IT risk assessment, you would need to list all the ways that you could be putting your data at risk.
The four main key areas that your KPIs should be structured around are:
- Data Discovery & Classification (where are your most sensitive files and folders, how many sensitive files do you have? Etc.)
- Permissions & Privileges (who has access to your sensitive files and folders, how many folders with open access do you have? Etc.)
- User & Entity Behavior (how are your users interacting with critical data, how many file copy events do you experience? Etc.)
- Environment States & Changes (does your environment currently pose a risk to your data security?)
Locate Your Sensitive Data
Essentially the first step in ensuring that you are taking a data-centric approach to security when doing your risk assessment is to determine how many files and folders contain sensitive data. What is this number as a percentage of the total files and folders within your organization?
It stands to reason that the higher the percentage of sensitive files and folders within your organization the higher risk you have of suffering a potentially damaging data breach.
Determine the Effectiveness of Your Permissions
Here your goal is to determine whether you are operating on a strict policy of least privilege (PoLP). Your objective is to ensure that you are only allowing access to the people that require it to do their job. Ideally, the number of users with full control would be very few. Some key indicators of risk where permissions are concerned would be to examine the number of permission changes occurring to objects, files, folders and key IT infrastructure (such as Active Directory and File Servers).
Analyze the Behavior of Your Users and Entities
Knowing how your users and entities are behaving in relation to your data is key to assessing your risk. For example, if you are seeing a high number of files containing sensitive data being moved, renamed, copied or modified every day then you know you probably need to further investigate why this is happening.
Ideally you should have a way of determining how many anomalous actions are taking place in your IT environment. If a user accesses a file they have never accessed before, you should be able to detect that and include it in your risk assessment report.
Other things to consider are the logon patterns of your users. If you are seeing an unusually high number of failed logons, it could indicate that you are at risk of a brute force attack.
Does Your Environment Presenting a Risk to Your Data?
Here you should be able to list all those environment states and changes that potentially could lead to a lack of data security. Some things to consider here are the number of inactive users in your environment, the amount of stale data you have, users with passwords set to never expire and open shares.
Knowing those four key indicators is the key to a successful risk assessment when it comes to your data security. Getting access to this information can be very difficult if you are using native auditing methods. Fortunately, Lepide offers a free IT risk assessment service that you can request. You won’t have to lift a finger, as our engineers gather the key information for you and present it in an easy-to-read report. Book your free risk assessment today.