Hi fellow security practitioners:
I want to post this general question in term of your general risk assessment process.
Coming from tech background my approach on security domain are mostly bottom-up technology driven.
However I'm currently being put in a position to look at it more from a top-down policy driven approach.
That said, if you're to initiate a company-wise security program, when you start with a formal risk assessment process, do you:
1. Seek external vendor for the the risk assessment project?
1a. if yes, how do you select those vendors? what criteria do you use to select them?
1b. do you have any recommendation for SMB?
1c. if not, what kind of tools you use to DIY?
1d. how do you know you have considered all the risks? I started DIY approach based on my understanding on NIST SP800-30, however I'm always unsure about when I would considered "covered all the bases" given my limited knowledge outside of my domain.
Thanks and I'm looking forward to read your takes.
Whew! This is a much bigger question that must be broken down into some smaller chunks before the board can answer with any certainty.
First, is there a particular compliance your looking to solve? A HIPAA risk assessment will be very different from say GBLA or a general non-specific compliance regime.
What is your budget or is this simply a homegrown effort to reduce risk?
Do you have executive shepherding to help push this initiative through? Any internal resistance? Who is your intended audience? An internal audience will have very different desires than say an external client looking for a SOC 2/SSAE 18.
Food for thought if not conversation. This is actually a business question, hence all the additional questions.
I agreed that it's a business question.
The subtext is that from my exec:
"Oh... if we want to hire some firm to do a overall risk assessment, how much do I need to set aside on the budget? 5k? 20k?"
Background about my scenario so far:
My company is a 50-people fin-tech standup. (pre-A, so general 'do more for less' type budgeting)
We have recently certified PCI-DSS compliance.
As part of our compliance journey, I've draft our internal risk assessment report with the pointers from our QSA (that's my DIY spreadsheet risk matrix type document, and this is where I always think it can be done in a broader sense as opposed to 'just do it for PCI')
As far as covering our bases is concern, what I've expressed to my exec team is that even though we have done an internal risk assessment report in related to our certification, it is preferable to have another set of eye to oversee it (outside of my team, which might have technical bias).
Hence the question about how we would look for vendors.
Generally speaking I have buy-ins from my exec team. Any resistance (if at all) would mostly be the fact that we don't know what to expect.
The report would be mostly internal in the sense that it should guide us to further drive business decisions on addressing risks. This is also why I'm posting this as a 'general' question and is still looking for advise on competence DIY type workflow/tools.
From a top-down approach, you are going to need to identify your breakeven costs. That is, how much of what is your organization willing to lose before the management decides to simply go out of business. Then from that decide how much operating income the leadership is willing to give up in the name of security – this results in both identifying the priority of your valuable assets and your tentative security budget.
You can do this one of three ways. First, you recommend to your leadership to bring on a Management Accountant to help you value the business operations and their corresponding information assets – or you outsource this to a Risk Management company (they also go by the term “Accountants”). You’re probably looking for the SMB version of one of the Big Four here (Deloitte, PwC, EY, and KPMG). Or third, you can start refreshing yourself say by studying for a specialist exam like the CISA or by taking Management Accounting courses at a local college.
Once you have your most valuable assets identified, the next step is to begin identifying the hazards that the assets face. You may (or may not) want to strike off the list anything that has an industry-standard mitigation control … e.g. The most valuable asset is the computer with all of the customer/transaction data on it, a hazard is equipment theft or physical vandalism, but there are locks on the doors and a building alarm system. You also place as a priority on the list anything that you’re required to do by law or regulation (e.g. PCI Compliance).
At the next stop on our journey you’re providing a report for leaders on priorities to address. At this crossroad, you are providing your leadership their exposure and giving them choices. If you hire an outside firm, they should have a good idea of the information assets, regulatory environment, and threat-vulnerability landscape – but they may also be relying upon you for assisting them in identifying these things. Your risk assessment equations come into play here. You then take your tentative budget and being applying it to the weighted average of your highest priorities until your leaders cry uncle. This is the risk mitigation, acceptance, avoidance phase.
You can go back to your CISSP reference materials and work through it yourself – but an outside firm should be able to give you a quote on their engagement fees. You may find that leadership thinks this is a good value, or they may be too high and you can expect to be spending your nights reading up on probability factors and cost equations. 😄
I recommend the following questions to ask yourself.
Do you have company strategy and direction aligned to your policies & standards.
Does the policies and standards account for other regulatory bodies that your company abides by (e.g. Payment Card Industry, HIPAA, GLBA etc...)
Do you have a risk management framework?
Do you have risk tolerance defined? Is it mapped to risk buckets that enterprise risk management has consulted on, are they actionable to reduce risk?
Do your standards have mappings to controls?
Have you identified all your assets by Inherent Risk?
Self assessing yourself to these questions may help you understand your maturity to perform a risk assessment that aligns with your standards.