Protecting a company now includes not only its systems and networks but also its physical property and employee practices. Companies are moving beyond buying vulnerability checking tools and applying patches to protecting information; they are now seeking ways to proactively improve corporate resilience rather than waiting to react to each new vulnerability alert. This new posture is motivated in part by self-preservation but also by increasing legislation and regulation. Information security assessments have rapidly become a requirement in both government and industry-related domains. The Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA) are driving efforts to improve corporate security practices to meet a defined standard of due care. Reducing security risk is no longer a luxury; it’s an essential part of business success. Method PossibilitiesMany types of information security risk assessments are available in both the public and private domains. Organizations can conduct some assessments themselves; external consultants should conduct others. To choose the right assessment method, consider your organization, business objectives, current legislation, and any partnerships and supply chains. Also consider the method’s ability to accomplish the following: Assess security risks without disrupting organizational operations Assess risks in context for relevant ROI. Enable targeted improvements. Assess risks in relation to your own business goals, objectives, mission, and so forth. Why is it so difficult to find the right assessment method? No single method works under all circumstances or for all organizations. Vulnerability evaluations examine only specific systems or components to identify known weaknesses but can’t identify unknown weaknesses or estimate the company-specific impact and probability of an exploited weakness. Model-based assessments such as CRAMM, COBRA (Consultative, Objective, and Bi-Functional Risk Analysis), or any HIPAA-specific Method indicate how well your company can approach a designated ideal, but may not identify risks. System certification relies on predefined standards of what a secure system should be and on the system developer’s ability to define and implement the right operational security requirements. Asset-Based AssessmentsAsset-based assessments, on the other hand, examine the information that must be protected and how well systems and security practices provide that protection, thus providing a broader view of your organization’s security posture. They look at the information that is critical to meeting business objectives, then examine the systems that support this information. Asset-based assessments answer the following questions: What needs to be protected? From whom and from what must it be protected? How is it threatened? What happens if it’s not protected? How can protection be improved? Focusing on critical assets also makes effective use of scarce resources. Ensuring intelligent choices about spending money is essential to avoid an unbalanced security budget that focuses on technological solutions at the expense of employee education and training. Further, protecting critical assets usually provides sufficient protection for less critical assets. Multiple ObjectivesSo how does a company efficiently meet multiple objectives if a single method doesn’t exist? Conducting several assessments one right after another is exhausting and requires extensive resources. A better approach is to combine assessment methods and techniques. A standard of due care such as HIPAA or ISO 17799 can be embedded within asset-based assessments (such as OCTAVE(r)) to measure compliance and identify risks for security improvement efforts. General guidelines. Determine the required objectives of the security assessment: practice improvement, compliance, controls audit, risk reduction, and so forth. One objective is primary; the rest are likely secondary. You should investigate the best available methods that meet the primary objective to determine whether any meet or can be adapted to meet the secondary objectives. If you cannot find a method or tailor one, you may need to use multiple methods and combine several activities to streamline the process. If specific, unique activities are required to meet a secondary objective, determine the best placement of that activity within the assessment method and integrate it. It’s also wise to include experts in applicable standards on the assessment team. A rule of thumb is to gather information once but analyze multiple times. Most risk assessment methods involve similar activities or techniques for gathering information; the differences usually arise in the way the gathered information is organized, analyzed, and presented. Combining results can be tricky without preparation to ensure that the data being collected is sufficient for all the methods in use. Methods supported entirely by automated tools or a collection of tools may prove too difficult or expensive to adapt (if it is even possible to adapt them), and any combination or reuse of information for multiple purposes must occur independently of automated tools. Note also that consultants or vendors who supply proprietary methods or tools are not likely to support this kind of integration without suitable incentive. This is a powerful reason for acquiring a method from the public domain and creating your own internal ability to assess security risk. ConclusionDuring the assessment and at the end of the assessment, the results should be reviewed to identify any unexpected gaps or missing information. Collect any missing information before proceeding too far into the assessment. If gaps aren’t discovered until the end, ensure that there’s time to finish the needed activities. Adapted methods should have a plan and schedule that allows for the unexpected. Finally, if you use any form of enterprise risk management or attempt to integrate security risks with other corporate risks, compare the results of the security assessment with other assessments and identify the overlaps and conflicts in risks and mitigation plans and make adjustments as needed. It is a waste of resources and energy to run multiple, standalone security risk assessments. While there is no single solution for all security risk assessment needs, some can be used for multiple purposes. An asset-based method, for example, can be combined or expanded to meet many assessment objectives. Consider both short- and long-term needs before selecting an approach, and then fit these resources to your needs. (c) 2005 Cutter Consortium. All rights reserved. Related content news Chinese state actors behind espionage attacks on Southeast Asian government The distinct groups of activities formed three different clusters, each attributed to a specific APT group. By Shweta Sharma Sep 25, 2023 4 mins Advanced Persistent Threats Advanced Persistent Threats Cyberattacks feature How to pick the best endpoint detection and response solution EDR software has emerged as one of the preeminent tools in the CISO’s arsenal. Here’s what to look for and what to avoid when choosing EDR software. By Linda Rosencrance Sep 25, 2023 10 mins Intrusion Detection Software Security Monitoring Software Data and Information Security feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Data and Information Security IT Leadership brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe