Risk Assessment is an important business activity that needs to be performed regularly. Unlike financial, accounting and legal, cyber security risk assessment has multiple standards based on system type, data to protect, industry etc. There is no “one size fits all” approach. Organizations that comply with regulatory requirements such as HIPAA, PCI-DSS include comprehensive risk analysis implement information protection programs that meet minimal and recognizable level of protection. Qualitative risk analysis performed by IT professionals to analyze and assess risk in IT environment was sufficient few years ago. #c -suite executives, #cfo, #ciso and Board of Directors are considering cyber risk as a business risk and not just the IT problem anymore.
Below are 5 basic steps for #cyber #riskassessment of an organization:
| Steps | Description | How Hacknowledge can help you in risk assessment |
| Asset Identification | Identify company mission, objectives and organizational priorities. Additionally, list current #information #systems and assess cyber security posture. Make a list of data used, its users, owners. Are there any partners/vendors involved in data usage? How is data exchanged? Also identify physical and logical containers such as data centers, removable media, internally developed code, scripts and partner developed code. Create a current profile (as is) of the information system. | ● Hosts discovery is performed as part of the vulnerability scanning process from our sensors.
● Using the DPI module of the IDS on our sensors, we can detect hosts communicating on your network. ● In both cases, we can map those hosts against an existing CMDB and inform you of gaps. |
| Vulnerability and Threat Identification | Make a list of potential and relevant threats to the information systems and other threats sources through accidental or intentional actions. Develop a list of vulnerabilities existing in the information system and network of the organization. This can be performed through internal audits or vulnerability scanning. It is important to identify the weakness and its resulting impact on information. | This part is built-in using the vulnerability scanner deployed on
our sensors |
| Probability Determination | Based on #NIST National Institute of Standards and Technology (NIST) Special Publication 800-30Risk Management Guide for Information Technology Systems, probability level of high, medium or low is assigned to each vulnerability considering existing control systems and the likelihood of occurrence. | Create a target cyber security profile and gap analysis
– using your executive and management views on our customers portal, you can easily have a view on the security alerts and vulnerabilities statistics from your infrastructure.
|
| Create a target cyber security profile (to be) | Consider all stakeholders that influence in creating the target profile and describe the company’s desired #cyber #security outcomes. | |
| Perform gap analysis | Identify gaps in current security programs and workforce. Identify various organizational components for assessment and evaluate the organization’s controls program. Identify and evaluate cyber security risks. Which components are outside of current cyber security controls? This needs to be a regular business process through internal audits that explains the controls implemented. | |
Sample Scenario:
After months of efforts in research, development, production and marketing of the new drug, a #pharmaceutical company with $500 million annual revenue and 10,000 employees was ready for a major release of the drug. The company was informed that its #network #security was breached and investigation into the #cyber event led to understanding of #theft of the formula for new drug. It was also revealed that the hackers were reverse engineering the formula of the drug in an attempt to duplicate and introduce lower quality of drug to the market.
The accurate impact of the #breach was not known, however, long-term sales and profits was heavily impacted. Projected revenue reduced to be 25% of total revenue for the next five years.
The company immediately stopped production of the drug for four to five months with significant unplanned costs to recover from the incident. Loss of Intellectual Property (IP) resulted in significant impact on Research and Development (R&D) with loss in market share and huge decline in operational efficiency. In response to the breach, the company improved its cyber security posture significantly to not only prevent but also be able to detect and respond better in any such future #cyber #threat events.
Business leaders rarely anticipate such cyber attacks to their organizations. Our mission is to help our clients shorten the time between breach and #detection, ultimately stopping IT threats to their networks. Hacknowledgeperformsvulnerability scanningand offers professional advice on remediation efforts. Today, ourVISION Cyber Management™ solution helps clients around the world monitor their networks, and quickly #detect and #respond to cyber security threats.
