[BreachExchange] Risk assessments for local governments and SMBs

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 23 19:04:02 EDT 2017


Next week, I am scheduled for a semi-annual risk assessment with my
dentist. He performs a very specific, highly focused type of risk
assessment that is totally worth the $125 it will cost. In addition to
performing specialized maintenance (hypersonic cleaning), he will provide a
threat assessment (for oral cancer, cavities, periodontal disease and other
anomalies). I’ll leave his office confident that my mouth is in a low-risk
situation for the next six months as long as I continue to follow best
practices and perform daily maintenance procedures. I am only vulnerable to
these threats if I fail to follow a daily program of brushing and flossing.

I could always choose to save the small fee for these risk assessments and
wait for a major dental disaster to occur. The problem with this approach
is that a single incident may cost thousands of dollars if I need a root
canal or some other type of procedure. Ten years of checkups are less
costly than even a single disaster.

Enterprise IT risk assessments

Unfortunately, in the world of local government and SMBs, the most common
approach to risk management is to allow a major catastrophe to occur before
realizing the value of an enterprise risk management program.

I am at a loss to explain it. Incidents or problems involving your
information and IT infrastructure are far more costly than risk management
programs. Data loss, breaches, major downtime, malware, lawsuits and fines
for compliance violations may cost hundreds of thousands or millions of
dollars. They can permanently shut down your small business or really
irritate your board of directors in a corporate environment. In the public
sector, constituents pay for major screw-ups through increased taxes while
the events are often covered up and the culprits skirt the blame and keep
their jobs.

When was your organization’s last risk assessment? Can you put your hands
on the report? If you haven’t had a risk assessment recently, it’s a safe
bet that your policies are sorely lacking. Defining an organizational
policy for risk assessment is an essential component of any comprehensive
suite of security policies. Both HIPAA and GLBA require periodic risk
assessments, but it is a sound practice for all types and sizes of

Where to start?

If you haven’t previously conducted an enterprise IT risk assessment you
should carefully consider your starting point. For example, if you have few
or no security policies, it may be wise to form an IG (information
governance) committee and begin by developing of a comprehensive set of
policies, procedures, standards and guidelines. On the other hand, your
management team may benefit from the kind of wake-up call that a
devastatingly thorough risk assessment can produce. A 100-page report that
says you suck at security and risk management on every page may be just
what you need to get everyone’s attention.

The results of a risk assessment should be used to reduce your
organization’s risk exposure, improve CIA (confidentiality, integrity and
availability), initiate positive change, and begin building a security
culture. While using risk assessments as a punitive device isn’t the best
approach, such reports often expose malfeasance and incompetence of
proportions so vast that appropriate consequences are in order. In other
words, if you have been paying a CIO $200,000 and the assessment uncovers
gaping policy, security and privacy holes, you should certainly replace the
CIO with one who has the required skill set.

Scope the project carefully

Risk assessments come in a lot of flavors and the specific purpose and
scope must be worked out with the auditors in advance. A few years ago, a
client of mine released an RFP for a risk assessment after we worked
extensively on the development of their information security policies. The
proposals ranged from $15,000 to well over $150,000. This can happen even
with a pretty clear scope. Big 4 firms, for instance, have hourly rates
that may be several times what a local, independent practitioners may
charge. NIST SP 800-30 provides valuable information on how to perform risk
assessments, including some information on scoping.

Risk assessments may be qualitative or quantitative. You may be able to do
some of the quantitative work in-house by gathering cost data for all your
assets in advance of the assessment. Regardless of the scope and approach,
the auditors will ask to see lots of documentation.

Positive outcomes

One positive outcome of a risk assessment is that it may force your
management team to rethink EVERYTHING – in-house application development,
infrastructure support, IT staffing & responsibilities, LOB (line of
business) staffing & responsibilities, budgets, and just about everything
else related to the manner in which your organization is run.

Risk assessments are way cheaper than disasters, so go schedule your
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170523/94436f13/attachment.html>

More information about the BreachExchange mailing list