Subtitles section Play video
- The goal of a risk assessment
is to determine where an organization
may be most exposed or where something bad might happen
that could hurt the organization's ability
to deliver on its intended mission.
The quality of all other security assessments
will improve if you're using the results
of a recent risk assessment as one of your key inputs.
When you're conducting a risk assessment
your goal will be to identify threats and vulnerabilities
that could potentially harm the organization.
Knowing the difference between a threat
and a vulnerability is essential.
Fortunately, we can turn to NIST,
the National Institute of Standards and Technology,
to help us better understand that difference.
NIST considers a threat to be a circumstance or event
that could damage the confidentiality, integrity,
or availability of information or information systems.
That means if something or someone could expose
an organization's secret information,
stuff like intellectual property
or customer personal information
or if that thing could make changes
without the proper approvals,
or if that person could take a web application offline,
well, then that's a threat.
A vulnerability is a weakness that enables the threat
to be successful.
A missing security patch is a great example
of a vulnerability,
so is a default admin password still in use
on some internet-facing web portal.
When it comes to availability,
the fact that a data center is located in an area
prone to flooding or tornadoes is an example
of a physical vulnerability.
During your risk assessment
you'll identify the threats and vulnerabilities
about which the organization should be concerned
and then you'll score the potential likelihood
and the potential impact of each risk.
Likelihood is the probability
that a threat might actually succeed
in exploiting a vulnerability.
Let's look at malware, as an example.
What's the likelihood
that your laptop will get infected with a virus?
Well, it depends on a number of things, doesn't it?
Do you run an antivirus program?
Do you use your laptop to access the internet?
Do you open email attachments from people you don't know?
As you ask relevant questions about each threat and
about how exposed you might be to different attack vectors,
it should become apparent whether or not
the risk you're considering is highly likely to do harm,
highly unlikely, or somewhere in between.
That's why NIST relies on a high, medium,
low scale when scoring risks.
You also need to consider the impact though,
to get an accurate risk score.
If your laptop gets infected with malware,
well, that'll make for a bad day for you.
But what if the entire server network
at your company gets infected with malware?
The impact of an incident
like that would be much more expensive
since it impacts a lot more people.
NIST follows the same low, medium,
high scoring methodology for the impact
as it does for likelihood.
All you have to do is combine the two scores,
often through a simple math equation, and voila,
you have a risk score.
If you've never conducted a risk assessment
my advice to you is that you don't get caught up
in the details just yet.
Again, the goal of a risk assessment is to prioritize risks
so that you can take the necessary action to
reduce those scores to an acceptable level based
on the leadership team's risk appetite.
When preparing for an upcoming risk assessment
make sure to do your research.
Verizon's Data Breach Investigations Report
has a lot of real world data on actual security incidents
that resulted in data breaches.
And so does the Privacy Rights Clearinghouse
chronology of data breaches.
You can also turn to industry-specific
Information Sharing and Analysis Centers, or ISACs,
for threat and vulnerability information relevant
to your specific industry.
You can even turn to your internal
IT service management system
for historical help desk ticket information.
As a matter of fact,
I highly recommend that you do just that
before embarking on your first risk assessment.
At the end of the day you should have a report
that contains a prioritized list
of information security risks that your leadership team
will want you to keep a close eye on.
(upbeat music)