A Security Risk Assessment (SRA) is a structured approach to evaluate the level of maturity of an organization’s information security program. This is typically measured against a recognized security framework such as the HIPAA Security Rule, the NIST Cybersecurity Framework, ISO 27001, or the CMS Information Security Acceptable Risk Safeguards.
In addition to the gap analysis against the security framework, it is also important to specifically identify and rank unique risks to the organization. One risk example might be, “What is your level of risk that the organization suffers a ransomware attack, based on the current security controls that have been implemented?” We do this by looking at the likelihood of a risk occurrence and the impact of the risk happening.
SRA Approach
The project typically starts with a document request a few weeks before the interview process– the assessor will want to review policies, procedures, and many technical documents that help describe the environment and how information security is managed.
We will then facilitate a series of interviews with various leaders in the organization to walk through the respective security framework. The framework may require, for example, that we evaluate your password policy. We will discuss specifics of the organization’s password policy – for instance 8 characters with 3 factors of complexity that expire in 90 days – and compare against the security framework standard and/or industry best practices. BluTinuity will offer some coaching on the expectations, perhaps share what we have seen other similar organizations do for the configuration, and how to bridge the gap.
In the interviews, we look at topics such as Security Roles & Responsibilities, Policies & Procedures, Risk Management Strategies, including Vendor Risk Management, Asset Management, Access Controls, Awareness & Training, Data Security, Platform Security, Technology Infrastructure Resilience, Incident Response, Business Continuity, and Disaster Recovery.
The objective is to truly understand your assets - systems, software, & technology infrastructure.
Then we will look at risk items in a model that allows you to examine various risks (technology, security, physical facility, people, and business risks) using a scoring system so you can prioritize the ratings. If the organization has a risk matrix of some sort, we can start there, but BluTinuity has a Risk Management Register of about 125 common risks that we may want to incorporate.
As I mentioned earlier, for each risk item, we need to identify the likelihood of a risk occurrence and the impact of the risk happening. We need to understand things like, “What happens if the internet goes down in our office for a day?,” or “What is the risk to the business if our key system is offline for an extended period?” We use a scoring model to rank the risks and discuss whether we can accept the current level of risk. “Is it OK if our antivirus software is not working, or not?” If not, we need to identify a plan to remediate the risk to an acceptable level.
The SRA may also include technology components such as a Vulnerability Scan if these are not being done already, to validate the level of security updates in place for all computing devices. It may also include a Penetration Test, which is having a trusted external consultant attempt to hack into your systems to test the security.
The final deliverable report provides insight into all of what I noted here with a prioritized list of recommendations.
Benefits of Performing a Security Risk Assessment
A mature Information Security program starts with a Security Risk Assessment to measure current maturity and evaluate risk. It is the key to protecting your data and systems and is a cornerstone of continual improvement.
An organization cannot manage the risk to the organization, your systems, and your data well unless you take the time to understand and assess it. Once you understand your risks, you can develop long-range strategies to improve your information security maturity and reduce and manage risk. If you do not assess and understand your risk, you may have active vulnerabilities, and the threats could grow without your knowledge.
The SRA gives you a baseline measurement that allows for appropriate planning.
An SRA is usually a requirement to obtain favorable rates for cybersecurity insurance. Insurance carriers are likely to ask about your recent SRA and even require you to complete their risk assessment.
Your customers may be asking about your SRA as well. In today’s security climate, many organizations have implemented comprehensive Vendor Security Risk Management programs that will include assessing their customers’ security maturity.
There is also the compliance component. Completing an SRA is a HIPAA and CMS requirement for the healthcare sector. If the organization ever suffered a data breach, there would be an audit by the Department of Health and Human Services, and not having a serious SRA completed would raise a red flag in an audit, and likely result in a significant fine. In other regulated industries, there are usually similar requirements for an organization to perform an SRA. And many states have signed legislation detailing a need for an SRA.
Risks of Not Understanding Your Organization’s Security Maturity
Information Security is not free, but the average cost of a data breach for a healthcare organization in the US in 2023 was $9.48M. Research shows that organizations that understand their risks, and have implemented best practices that align with a recognized security framework can reduce the cost of their data breach by a third to a half. You may not see the value as you write the check to implement security controls, but you will see the value in a security incident that is shorter and less impactful than it otherwise would be.
How Much Time Is It for the Organization?
An organization can expect to spend 32-40 person-hours of time working with a consultant for the SRA. The pace of an engagement like this includes document gathering in the first few weeks, then a series of interviews and perhaps an onsite visit from your consultant, and some follow-up over approximately 6 weeks.
How Often should a Security Risk Assessment be conducted?
The best practice is to perform a Security Risk Assessment annually, but there may be some risks that need attention more frequently. An organization can perform the SRA internally using free tools online, but using an expert to facilitate the process can offer more insight and some guidance as to the best way to reasonably close a gap.
Conclusion
Cyber attacks are an ever-present danger to organizations, and organizations that do not take the SRA process seriously put themselves at great risk. This means that a failure of a process or technology, or an action by a person is likely to result in a crisis. A strong information security posture helps prepare the organization to weather the storm. Without a solid Security Risk Assessment against an accepted information security standard, it is hard to set a course for improvement.