[BreachExchange] Why a risk assessment should be in your future

[Audrey McNeil]

https://www.csoonline.com/article/3234354/data-breach/
why-a-risk-assessment-should-be-in-your-future.html

Companies that put cyber risk assessments on the backburner will quickly
find themselves enmeshed in controversy if their controls are found to be
inadequate, or fail to satisfy regulatory requirements.

Recent legislation, such as HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley,
not only contain references as to how organizations should protect
different kinds of data but also require regular security assessments.
What’s more, organizations involved in mergers or acquisitions have extra
incentive to stay on top of this. A recent New York Stock Exchange survey
of its members found that the overwhelming majority of respondents agreed
that the disclosure of a high-profile data breach would have “serious
implications” on a pending transaction.

Regular cyber risk assessments are a critical part of an effective
cyberdefense if for no other reason than the results provide clear answers
about the risks associated with using particular information systems or
types of data.

At the same time, though, it’s unrealistic to include everything in a risk
assessment. Indeed, the US Commerce Department’s National Institute of
Standards and Technology (NIST) allows that there are no specific
requirements and no right way to conduct risk assessments.

So, what’s the right approach? Actually, there’s not a single answer since
it will vary based on the company and its unique position in the market.
Rather, the overarching goal should be to create a framework that includes
the areas that process, store and transmit its most important information.


Managing the Process

Years ago, this task might have been farmed out to the IT department. But
as threat levels rise, the danger of brand and reputational damage from a
data breach has elevated the responsibility for cyber risk assessment up
the organizational chart. The C-suite - including the board of directors -
is now as responsible for managing this process as it is for the
constellation of considerations affecting other areas.

The exercise should spotlight the various categories of risk that an
organization faces. At the same time, it should inform the leadership about
the actual location of the company’s assets as well as whether there’s
appropriate security to protect its most valuable information.

And once complete, the drill should help management prioritize so it isn’t
throwing money wildly at the problem any longer. Instead, managers can
adopt more prudent, cost-effective spending and invest in defending the
most important, higher-payoff items.

Organizations should also use the process as an opportunity to vet the
security worthiness of their third party business partners. In a networked
world, a partner company’s security vulnerabilities also become yours. As a
precaution, it’s prudent to adopt strict role-based access so that third
parties only access specified applications.

At the end of the day, this is about adding to an organization’s muscle
memory. Companies that fail to conduct thorough security reviews can’t ever
know for sure which data is most likely to be in the crosshairs. But
adopting cyber risk assessments into their regular routine will allow
organizations to understand what they face and better navigate a threat
landscape that gets more dangerous all the time.

Just as important, it will give them a running start when trouble finally
knocks on the door.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171019/11a3fc4b/attachment.html>