Article written by:
Mike Dickson, CPA, CITP, CISA, CISM, CRISC
Director of Information Technology Services
The common purpose of the following frameworks is essentially the same: identify risks that could be initiated by an internal or external actor to cause an event that threatens a company asset or resource.
- COSO Enterprise Risk Management -2017
- ISO 27005
- NIST 800-30
- AICPA SOC for Cybersecurity
- Center for Internet Security Risk Assessment Method (CIS-RAM)
Risk management is not an activity that is delegated to someone else – every key person in the company has a role to play in an effective risk management process. The Board members, and those responsible for governance, need to be aware of risks facing the organization, provide appropriate oversight of risk management activities and incorporate discussions about risk into their periodic meetings. Risk Officers need to know how to collect data and articulate the nature of risks to Security Officers and Risk Response teams. Business Unit Managers and Product/Data owners also must participate in a risk management process to ensure reasonable and objective evaluations of the likelihood and impact of identified risks can be made.
Enterprise risk is broad and encompasses a wide range of risks, including strategic, environmental, market, credit, operational and compliance. Each of these has an underlying information technology-related risk so IT risk is where most organizations have the biggest exposure, and where they should choose to focus first.
Why are Risk Assessments Important?
- Serve as a qualitative and quantitative means to prioritize control activities within the organization
- Help to identify controls that need to be strengthened
- Assessments are the defacto standard key component included in all risk management & cybersecurity frameworks
- Because it’s the law:
- HIPAA Security Rule – for organizations that have protected health information
- FTC Consent Orders – risk assessment is a common component
- Gramm Leach Bliley Safeguards Rule – for personal financial and banking information
- GDPR – General Data Protection Regulation related to personal information of individuals within the EU
- … and many state and local jurisdiction regulations
- Courts for centuries have been using “risk” to determine whether a defendant was acting as a “reasonable person” when harm occurred
- Last year, Ohio passed SB 220 “Ohio Data Protection Act” which provides a legal safe harbor against tort lawsuits for a company who has implemented one of several specified Cybersecurity Frameworks listed in the law
- Regulations, statutes, information security standards and common business sense all tell us to demonstrate “reasonable security”
- You don’t want to find out for the first time during a forensic investigation how you should have defined “reasonable”
How are Risk Assessments Conducted?
- Identify information security threats and threat actors
- Determine the level of inherent risk (how prevalent and damaging is the threat?)
- Identify and evaluate existing controls which are intended to reduce the threat’s risk
- Determine the level of residual risk after considering the effectiveness of existing controls
- Conclude whether existing controls are sufficient to meet risk management objectives, or whether additional or improved controls are recommended
The steps to follow are somewhat intuitive; however, processes that are better designed and mature will yield stronger risk evaluation conclusions. For example, the evaluation of inherent and residual risks relies on assessments of the likelihood a threat will occur, and the impact on a business or its assets and resources if it does occur. The value derived from the risk assessment process you follow, and how close you get to implementing reasonable controls, depends on the structure and objectivity built into your risk assessment process.
Reasonableness and objectivity are fundamental concepts that need to be understood, and this is why GBQ has selected the Center for Internet Security’s Risk Assessment Method (CIS RAM) as our risk assessment methodology. GBQ’s team includes specialized security analysts and IT Auditors, along with CIS RAM, to help us empower our clients to identify and remediate risks in their businesses. CIS RAM provides many benefits including the following:
- provides three different approaches to support organizations of three levels of capability and maturity
- conforms with established information security risk assessment standards found in NIST SP 800-30, and ISO 27005
- provides objective and understandable instructions and templates for conducting a cyber-security risk assessment
- evaluates risk as regulators expect
- CIS RAM balances the burden of the controls on the organization with the potential harm a breakdown in controls could have on others.
As a Center for Internet Security Business Resource Partner, contact GBQ today for an introduction to the CIS RAM Risk Assessment Method.