In information security, various regulations require a periodic risk assessment. The Payment Card Industry (PCI) Data Security Standard (DSS) is no exception. For PCI-DSS, the risk assessment process is designed to identify, analyze, and document risks to credit card data. The assessment is the integral component of the risk management strategy, and therefore should be used to manage threats and vulnerabilities, and document control effectiveness. Continue reading
An Information Security (INFOSEC) Risk Assessment is the first step in identifying which data needs protection, controls around that data, and the risk level of each of those areas. The question many CISOs or CSOs ask is: “Why should I have an INFOSEC done?” SecureState believes an INFOSEC can help determine which areas of security need improvement. Then efforts can be directed at the critical areas that need the most remediation.
A good INFOSEC exhibits five key aspects that make it valuable to the client. So, make sure an INFOSEC is:
- High Level
- Useful and Affordable
- Understandable to Executives
- Following a Framework
- Set up to make Assumptions and Quantify Data
The first aspect of a good INFOSEC Risk Assessment is that it must take a high level perspective. You need to take a few things into consideration so the INFOSEC is conducted at a high level.
You need to understand how a business runs and how it makes money. By knowing how a business runs, you are able to determine both the business’s valuable assets and which areas need the most security.
You also must give the business an organized Timeline. Anyone can just provide a list of vulnerabilities; those are average INFOSECs. If you want to make your Risk Assessment better than the rest, you have to inform the client of what they need to do to fix their vulnerabilities, when they need to do them, and in what order, so they don’t drag their feet.
Useful and Affordable
The second aspect of a good INFOSEC is that it must be useful and affordable. At SecureState, we believe that an Assessment should cost no more than $15,000 for a company worth $5 billion. An INFOSEC is not an Assessment you want to spend the majority of your budget and time on. Generally, an INFOSEC should take no longer than one week to complete.
On the other hand, it needs to be useful for a company and not just result in a list of problems. The Assessment should give the client steps and activities to take to resolve their vulnerabilities. It needs to have a roadmap, so technicians know what to do to ensure that their vulnerabilities are at a minimum.
Understandable to Executives
The third aspect of a good INFOSEC is that it needs to be understandable to executives. An INFOSEC needs to result in a final deliverable that informs the client of the results of their Assessment; however, it needs to be written in business language, not IT language. This allows the CISO or CSO to understand exactly where their vulnerabilities are and what the risk level of each one is, pointing them in the right direction regarding what to work on first when fixing their issues. Most importantly, it leaves the technical terminology for the IT specialists to interpret and implement.
Follow a Framework
Following a framework is the fourth aspect that a good INFOSEC exhibits. A framework lends the Assessment validity, consistency, and repeatability. At SecureState, we base our INFOSEC on the National Security Agency’s (NSA) INFOSEC Assessment Methodology (IAM). Because they are consistent and repeatable, current INFOSEC results can be compared to previous years’ results to see if there was any growth. You can also compare the client’s status to other companies of similar size and stature to show them where they stand.
Make Assumptions and Quantify Data
The fifth and final aspect of a good INFOSEC Assessment is that it should be set up to allow the consultant to both make assumptions and quantify data. The assumptions are made about threats to the company from discussions with employees and from general threats to similar companies. At SecureState, we use the “Risk Equation,” which can be seen in the graphic below, to calculate risk empirically, rather than subjectively.
In the Risk Equation, we are mainly looking at the boxes in red. When SecureState makes assumptions through discussion or our own experiences, we look at two main items: the likelihood of the threat and the impact of the threat. In an INFOSEC Assessment, this helps a company understand where they need to start fixing their vulnerabilities. Two good Assessments that identify vulnerabilities are Penetration Tests and Vulnerability Assessments, whereas the INFOSEC itself, as well as PCI and other controls Audits, will identify controls.
So when looking at purchasing an INFOSEC Risk Assessment, or when implementing one, I would highly recommend making sure that these five aspects are included in it. By conducting an INFOSEC that exhibits these aspects, you will get the biggest bang for your buck. For more information on the INFOSEC Risk Assessment, visit the links below: