For any business, regular risk assessments are a fundamental part of a risk management process. They allow you to determine your acceptable level of risk and what control measures you need. Calculating a risk rating is a fairly involved process and a lot of information is required. You need a holistic view of the entire system, process, or application in order to fully understand what’s going on.
A big piece of the risk assessment process is assessing (and rating) your unique control environment. At Sage, we look at several categories of information and in order to rate them. Here are some of the factors that we consider when rating our findings.
Without context, information can be misinterpreted. When rating a control, it’s not a pass or fail test. You have to take into account the context surrounding each control. That’s why we look at a controls in the context of the:
- Individual system
- LAN architecture
- WAN architecture
- Interfaces (both internal and external)
- Users and use
- Administrators and administration
- Physical environment
- Organizational environment (i.e., governance, oversight, etc.)
We also take into account the context surrounding the size, scope, and complexity of an organization, along with the business-type because that can drive regulatory requirements or best practices that should be followed.
#2. Compensating Controls
Technical limitation can often prevent a preferred control from being implemented. However, there are many cases when a control can be implemented to compensate for a deficiency. Here are a couple of examples.
- A system with weak authentication controls can be compensated for by strong oversight controls. We encounter many systems where a default generic user account must be used. It cannot be disabled or deleted. Implementing controls such as Password escrow (a mechanism used to securely store passwords and / or electronic cryptographic keys), command-line controls, or creating a schedule of use for the account (where you can always tie actions back to an individual) can compensate for this deficiency and mitigate risk.
- The inability to practice segregation of duties for development, testing, and promotion of code into production can be compensated by assigning an independent approver. We find this a lot in smaller companies that don’t have a huge staff of software developers. In this case, having one person developing and testing the code, and someone in another department approving its promotion to the production environment can reduce risk.
#3. Complementary Controls
Now we’re looking at a layered approach to implementing controls, also known as defense-in-depth. Risk ratings can vary widely depending on the complementary controls put in place to strengthen a control and reduce risk to an acceptable level.
Here’s an example of a hierarchy of different ratings when looking at Remote Access Controls.
- Severe Risk Condition: An administrator can access the network from any device, at any location, with single-factor authentication. Because there are a variety of ways that attackers can (quite easily) compromise credentials, this is not an adequate control for the significant impact this level of access could have.
- Elevated Risk Condition: If this scenario was that end-users were permitted access, only from company-owned devices, with single-factor authentication, it would just be elevated risk. Because there is a slightly smaller attack surface and less impact because we’re talking about end-user access as opposed to administrator access.
- Low (Normal) Risk Condition: Now, if this scenario was that end-user access is permitted only from company-owned devices with installed certificates, restricted by IP address, using single-factor authentication, it’s a low risk.
Ultimately there would still be some risk finding in this scenario because single-factor authentication is allowed. However having layers around that single-factor authentication remote access mitigates some risk, and reduces the risk condition.
#4. Changing Environment
Controls that remain static while contextual risk increases may result in a higher risk rate for the same control over time. The threat landscape is constantly evolving. New vulnerabilities are found. New exploits are discovered for existing vulnerabilities. A certain type of cyber-attack becomes more prevalent. Controls have to evolve as well.
We also contextualize our risk ratings based on institutional memory, which is important in an environment that’s constantly changing. Too often we see policies, standards, procedures, and processes as check-box items. Instead we recommend they be considered living documents. Documents that actually contain the memory of the organization and are always kept up-to-date.
#5. Peer Review & Team Discussion
As you can see, there is some subjectivity when assessing risk. At Sage, risk assessments are always peer-reviewed to ensure nothing was missed and to question a rating, if warranted. Not everyone sees things the same way. Open discussion always helps find the right rationale for the context of the finding – and helps us land on the right result for our client.
#6. Current Threat Intelligence
Of course in order to properly assess risks, staying current is critical. At Sage, training and education are part of our core values. We offer formal training allowances and stay up-to-date in a variety of ways including:
- Threat intelligence news feeds (i.e., FS-ISAC).
- Email lists and services from NIST, NSA, FBI, and core industry vendors.
- New regulatory source material.
- Examiner or auditor feedback from clients.
The current threat environment impacts how we contextualize a control and impacts the rating level, and is an important step in the risk assessment process.
Finally, at Sage, an important part of any risk assessment we perform is getting feedback from our client. While all our ratings are based on the items mentioned in this post, there are sometimes things we aren’t aware of. Maybe the client didn’t reveal information during the interview phase that would have impacted results, either because they didn’t know at the time or someone else knew it. Or perhaps something in their environment has changed since the interview. Either way if a client disagrees and has a defendable rationale, we will take that into account.
Learn more! Read 6 Steps to a Cybersecurity Risk Assessment.
We can help you establish acceptable risk for your business goals
Sage's Risk Management Framework Development engagement is designed to protect your entire organization and its ability to carry out its mission. We work collaboratively with you to develop an operational framework that is optimized for the size, scope, and complexity of your company. The outcome will help you realistically and cost-effectively protect information assets while maintaining a balance of productivity and operational effectiveness.