Conducting Cybersecurity Risk Assessments Guide: The Complete Introduction

Cybersecurity risk assessments are a means for organizations to assess risks to their information technology assets and are a core requirement of most cybersecurity frameworks. However, specific guidance on how to conduct these assessments is typically not included in framework requirements, or is quite difficult to parse from the dense language. This is often by design, as the intent is to encourage organizations to build a risk management program unique to the type of business being conducted and the type(s) of data being processed. But this often leaves organizations uncertain about where to start. 

This Cybersecurity Risk Assessment Guide provides specific guidance on how organizations may choose to build a cybersecurity risk management program and a cyber risk assessment process that will ensure compliance with commonly-used cybersecurity frameworks. It includes:

1. A process flow for building and managing a cybersecurity risk management program. 
2. Steps to identify cybersecurity risks with key activities and questions to ask.
3. Assessing cybersecurity risks with a step-by-step overview for conducting basic risk assessments and advancing your risk assessment sophistication over time. 
4. Treating cybersecurity risks by choosing the most appropriate method for your organization.
5. Key considerations when building meaningful cybersecurity risk reporting.
6. Common cybersecurity frameworks and their specific requirements around risk management, including SOC 2, ISO 27001, PCI 4.0, NIST CSF, and more

CrossComply customers can go a step further to learn how to perform the various necessary activities described below within AuditBoard — simply click here to log in and follow the “CrossComply Connection” prompts for additional guidance. 

What Are the Principles of Cybersecurity Risk Management?

Cybersecurity risk management typically uses the same core components as more general risk management programs, including:

• Risk Identification – Identifying risks to cybersecurity assets and data processing environments.
• Risk Assessment –Assessing identified risks based on the organization’s environment(s), including the identification of inherent (initial) risk and residual (post-treatment) risk.
• Risk Treatment –Creating and implementing a plan to treat risks based on available resources and options, including transferring, avoiding, accepting, and mitigating risk.

Using these shared principles also provides an organization with the opportunity to include cybersecurity risk management as a subset or component of its IT Risk Management and/or Enterprise Risk Management (ERM) program, which is a common best practice.

How Do You Build and Manage a Cybersecurity Risk Management Program?

Developing and maintaining a cybersecurity program that incorporates effective cyber risk management is a momentous task that CISOs and other information security and risk professionals struggle with. Part of the complexity comes from the sheer number of cybersecurity threats that face modern businesses of every size. It also comes from a host of various frameworks — which one should your organization choose?

A good place to start building a cybersecurity risk program is through a cyber risk assessment or security risk assessment — whatever you’d like to call it. A cybersecurity risk assessment involves taking a deep dive into an organization’s security controls in relation to the cyber threats and risks that face them. These assessments can be performed by internal or external parties, but if this is your first time conducting a risk assessment of any sort, I recommend contracting a third party to get a fair, objective, and external view of your security posture. Starting with an assessment based on the National Institute of Standards and Technology or NIST’s Cybersecurity Framework (NIST CSF) is rigorous, but will cover most of your bases and integrate with other risk management frameworks that may be utilized at your company.  Other standards and organizations, like ISO 27001, SOC 2, COSO’s ICIF, and guidance from the CIS are also viable choices.

A cyber risk assessment should result in a list of findings and recommendations designed to identify threats and potential risks, and address them appropriately.

Using the shared principles of risk management, organizations can assess their information security risk posture by moving through the three relevant steps of risk identification, risk assessment, and risk treatment to build a cybersecurity risk management program.

The process flow below provides a means of creating and managing a cybersecurity risk management program and can be useful for organizations when first getting started.

Identifying Cybersecurity Risks

Risk identification is the process of identifying risks to the organization’s information assets. This is an iterative process and new risks will be identified over time. However, it is important for the organization to identify as many risks as possible to build an initial list of these risks, which is commonly known as a risk register. A cybersecurity risk assessment can help build this initial register.

Prior to identifying cybersecurity risks, organizations may want to consider the scope of any compliance programs to be included in the risk assessment process, such as PCI DSS or SOC 2. This is a useful means of limiting efforts to identify risks initially to any areas that are specifically governed by one or more compliance programs. However, it is important for organizations to ultimately identify cybersecurity risks throughout the entire organization to ensure the best possible cybersecurity risk management program.

Identifying cybersecurity risks can seem like a difficult process, as there are potentially an endless number of risks to the organization. However, the following considerations can help to identify an initial risk register:

• Data Classification – Identifying the types of data being handled by the organization and classifying it based on sensitivity and/or importance to the organization.
• Data Processing Scope – Identifying the specific assets, especially critical assets and information systems, processing environments, and storage environments in which each type of data is handled.
• Relevant Third Parties – Identifying vendors, providers, and other third parties involved in data processing activities.
• Specific Framework Requirements – Identifying specific risk management requirements of any frameworks in scope for the cybersecurity risk management program.

Risks Versus Vulnerabilities and Issues

It is important to understand the difference between risks versus vulnerabilities/issues. Generally, risks to the organization are ongoing, but the likelihood and potential impact of the risk will change over time based on several factors. Vulnerabilities and issues are generally temporary and are ideally remediated to remove the risk to the organization that they represent. However, most vulnerabilities and issues represent a temporary manifestation of a risk and therefore should be factored into the assessment process whenever they occur and until they are remediated. Organizations can and should conduct periodic vulnerability assessments using available resources and technology to  improve their IT security posture and protect key IT infrastructure.

Risk Identification Activities and Key Questions

Using the above considerations, the list and table below provide some examples of activities and key questions to ask to identify cybersecurity risks to the organization. 

• Data Classification Exercise: Do we know the types of data being processed? 
  • Identified Risk: Cybersecurity Context Not Established
• Data Classification Exercise: Do we process data types governed by regulations or mandates?
  • Identified Risk: Regulatory and Compliance
• Data Classification Exercise: Do we process data types that could cause harm to the organization if inadvertently disclosed?
  • Identified Risk: Data Breach
• Data Classification Exercise: Would the organization’s reputation be harmed by a data breach?
  • Identified Risk: Reputational Harm
• Data Classification Exercise: Would the organization face financial penalties due to a data breach?
  • Identified Risk: Fines for Non-Compliance/Financial Sanctions
• Business Continuity Planning: Can we continue business operations in the event that facilities are unavailable?
  • Identified Risk: Business Operation Cessation
• Disaster Recovery Planning: Are we able to ensure the continuous availability of information processing environments?
  • Identified Risk: Critical Application Availability
• Security Incident Response: Can the organization effectively respond to security incidents?
  • Identified Risk: Ineffective Security Incident Response
• Processing Integrity: Do systems process data consistently and without errors?
  • Identified Risk: Data Processing Errors
• Vulnerability Management: Do we identify vulnerabilities in IT networks and systems?
  • Identified Risk: Unidentified System Vulnerabilities
• Configuration Standardization: Have we established standard configurations based on specific technology types?
  • Identified Risk: Inconsistent System Configurations
• Access Control: Have we established policies and processes to restrict access to organization data based on role?
  • Identified Risk: Inappropriate Access to Systems or Data

Assessing Cybersecurity Risks

Once a risk register has been established, organizations must assess each risk individually. Risk assessments should be conducted on an ongoing basis — at least annually — to comply with most cybersecurity framework requirements. Additionally, it’s important for organizations to consider both inherent and residual risks.

• Inherent Risk – Level of risk prior to taking into consideration any mitigating factors like controls. Alternatively, this may be the current level of risk (including current mitigating factors) prior to any additional mitigation efforts.
• Residual Risk – Level of risk after implementing mitigation strategies such as implementing controls and/or additional treatment options (see Treating Cybersecurity Risks below).

Conducting Basic Risk Assessments

There are numerous ways to conduct a cybersecurity risk assessment and organizations can mature their process over time to consider additional inputs in the assessment process (see Advancing Risk Assessments Over Time below). The methodology below aligns to the functionality included in CrossComply. It is a means of conducting basic risk assessments that will meet the requirements of the most commonly-used cybersecurity frameworks.

To determine the calculation used to assess cybersecurity risks, an organization must determine what considerations or factors will be included in the assessment. A risk assessment matrix applied to each risk can be helpful at this stage. Two of the most commonly-used scoring factors are Likelihood and Impact. AuditBoard’s CrossComply solution also uses Strength of Controls to determine residual risk.

• Likelihood – what is the likelihood of a risk manifesting?
• Impact – if the risk manifests, what will the impact be to the organization?
• Strength of Controls – how does the strength of the organization’s controls impact residual risk?

Additional scoring considerations used in AuditBoard’s CrossComply solution include what is known as the CIA Triad (NIST SP 800-16):

• Confidentiality – the assurance that information is not disclosed to unauthorized individuals or processes.
• Integrity – the quality of an IT system reflects the logical correctness and reliability of the operating system; the logical completeness of the hardware and software that implements the protection mechanisms; and the consistency of the data structures and occurrence of the stored data.
• Availability – the timely, reliable access to data and information services for authorized users.

The CIA Triad is used to determine the overall likelihood and impact of each risk for both inherent and residual risk. Scores are calculated by using the following considerations:

Overall Impact

The overall impact of the risk event should consider the outcome of the risk if it is realized. The impact score of the risk should reflect the CIA Triad considerations above, the potential effect on the organization, and severity of effect.  

Overall Impact – Scoring Scale:

1. Very Low (1)
2. Low (2)
3. Moderate (3) 
4. High (4)
5. Very High (5)

Overall Likelihood

Likelihood is the anticipated frequency of a security risk manifesting, within a year, regardless of amount (disregarding significance of impact). The anticipated frequency of a security risk is determined based on the probability a risk will manifest in any given year.

Overall Likelihood – Scoring Scale:

1. Rare (1). Once a year (or less); or Rare (0-10%)
2. Unlikely (2). Once a month; or Unlikely (10-25%)
3. Possible (3). Once a week; Possible (26-50%)
4. Likely (4). Multiple times a week but less than daily; Likely (51 – 75%)
5. Certain (5). Daily or multiple times a day; Certain (>75%)

Strength of Controls 

Determine the strength of the control environment. The control environment is broken down by various types of preventive and detective measures. The strength of the controls can be directly influenced by the business and can be improved with increased attention in these areas. Assign a controls rating of 1 to 5 based upon the following criteria.

Strength of Controls – Scoring Scale:

1. Inadequate (1). No Policies & Procedures. No Training. No Automated Controls. No manual controls. Risks are not controlled. Testing or audits have NOT been performed – or if performed, results indicate inadequate controls.
2. Weak (2). Adequate Policies & Procedures exist. Weak reliance on automated controls. Effective Manual controls are in place with low reliance on monitoring controls. Testing or audits are performed with results indicating controls adequately protect the company from risk. Minor observations noted with several Process Improvement Opportunities noted.
3. Adequate (3). Adequate Policies & Procedures exist. Moderate reliance on Automated controls. Effective manual controls are in place with low reliance on monitoring controls. Testing or audits are performed with results indicating controls adequately protect the company from risk. Minor observations noted with several Process Improvement Opportunities noted. 
4. Effective (4). Adequate Policies & Procedures exist. Automated controls are in place. Effective Manual controls are in place. Moderate reliance on monitoring controls. Testing or audits are performed with results indicating controls adequately protect the company from risk. Observations noted are centered in Process Improvement Opportunities noted.
5. Strong (5). Adequate Policies & Procedures exist. Automated controls are in place. Effective manual controls are in place. Effective reliance on monitoring controls. Testing or audits are performed with results indicating controls adequately protect the company from risk with no observations.

Using the scales and scoring factors above, overall risk scores can be calculated for each risk. Again, both residual and inherent risk scoring should be performed for each risk.

Sample Risk Assessment Calculation

Using the above calculation methodology, a sample risk assessment is performed below.

Advancing Risk Assessments Over Time

Like enterprise risk management, cybersecurity risk management is an iterative process and should be continuously evaluated for opportunities for improvement. However, it’s important for organizations getting started with risk management to focus on what’s required to ensure compliance with applicable cybersecurity frameworks. In other words, don’t let perfection be the enemy of progress. Risk is more art than science, and organizations will develop the skill to be able to more easily identify, manage, and remediate risk over time.

Additional scoring factors can be implemented into risk scoring over time including:

• Risk Velocity – how quickly will the risk affect the organization? This can be expressed qualitatively (i.e., Low, Medium, High) or quantitatively (i.e., <1 month, <6 months).
• Open Vulnerabilities – do unremedied vulnerabilities exist in the organization? Generally, the higher the number of un-remediated vulnerabilities, the higher the risk to the organization.
• Asset Classification – do certain assets inherently represent more risk to the organization? This is useful in an asset-based approach to cybersecurity risk management and considers the sensitivity of data being processed by an asset and its general accessibility, among other factors.

Treating Cybersecurity Risks

Organizations have multiple options for treating risks, and should choose the option that is the most effective at reducing/eliminating the risk to the organization. Common treatment options include: 

• Accept – The organization has decided the risk to the organization is minimal and/or further mitigation options are not available. Accepted risks should be reassessed periodically to ensure the associated risk level has not increased beyond acceptable levels.
• Avoid – The activity or activities causing the risk to the organization is not an essential business function and can be stopped. 
• Transfer – Ideally, risks are transferred to third parties with the ability to reduce the risk to the organization. Transferred risks should be reassessed periodically to ensure that the associated risk level with the third party has not increased beyond acceptable levels.
• Mitigate – The organization has determined steps can be taken to reduce the risk to the organization, including the implementation of mitigating controls. Mitigated risks should be reassessed upon implementation of remediation plans to ensure an acceptable reduction in the level of risk.

Key Considerations for Meaningful Cybersecurity Risk Reporting

Risk reporting is a crucial component of any cybersecurity risk management program. Awareness of risks to the organization and active participation in reducing those risks is essential across the entire organization. Regular and meaningful reporting is one of the best ways to ensure such awareness and participation.

To ensure meaningful reporting, there are some key considerations that can be included when building cybersecurity risk reporting:

• Defined Scale – Use a defined scale for scoring. Ideally, the scale should align with other risk management activities in the organization. Additionally, visual cues like “stoplight” color schemes can help to ensure easy understanding.
• Compliance Alignment – Do one or more risks impact compliance with applicable frameworks or regulations? This is vital information to include, especially if the impact can affect upcoming compliance audits or assessments. 
• Frequency of Assessments – Risk management is an iterative process and should be evolved over time, and it is crucial to conduct risk assessments as frequently as is practical. Risks to the organization change over time and as influences on risk change, the level of risk changes. Frequent risk assessments can capture these changes as they occur. Organizations should work toward increasing assessment frequencies as their risk management processes mature. This data can be incorporated into reporting via risk trending and other analyses looking at risk over time.
• Risk Scoring Inputs – Include definitions of how risk scoring was derived. Specific considerations like scoring factors, relevant threats, and other inputs to risk scores can instill greater confidence in how risk assessments are performed.
• Treatment Decisions – This is essential information to include for executive- and board-level reporting to ensure alignment with decisions around risk. Should treatment decisions change, leadership must agree with such changes.
• Risk Remediation – This is another vital area to include in risk reporting. A list of open remediation activities should be included in all risk reporting and regular follow-up reporting should be provided to all levels of stakeholders. This ensures remediation activities are top-of-mind for the entire organization and holds stakeholders accountable for performing the activities they own.
• Reporting Levels – The most effective approach to risk reporting is to consider the fact that you have different stakeholders with different levels of involvement in your cybersecurity risk management program. Assuming all stakeholders find the same message useful can lead to less involvement in risk management. Therefore, it’s important to look at the different audiences within the organization and consider specific reporting, with varied relevance to each individual group. For example, tactical teams like network operations and system administrators will be more interested in the work that they need to do. Topics like risk treatment options may not be as useful for such groups. Focused reporting based on the specific activities being performed by a given group can ensure unnecessary “noise” is not included in reporting.

Overview of Cybersecurity Framework Requirements

While most cybersecurity frameworks align at a high level with what is required around risk management, it’s important to understand there are some differences in the level of detail in what is required. The table below lists common cybersecurity frameworks and the specific requirements around risk management included in each.

SOC 2

• CC3.1 – Includes risk tolerance considerations in operations
• CC3.2 – Includes the following in risk management:
  • Risk at relevant levels of the organization
  • Internal and external factors affecting risk
  • Involves appropriate levels of management
  • Estimates significance of risks (risk scoring)
  • Risk treatment decisions (see Treating Cybersecurity Risks)
• CC3.3 – Includes potential for fraud in risk assessments
• CC5.1 – Control implementation is used for risk mitigation
• CC9.1 – Considers the following related to business disruption:
  • Performs business continuity/disaster recovery planning
  • Considers insurance to mitigate financial risk
• CC9.2 – Includes management of third-party risk

PCI 4.0

• 12.3 – Risk management program for the Cardholder Data Environment (CDE)
• 12.3.1 – Targeted risk analysis is performed for each PCI requirement that allows variability 
• 12.3.2 – Targeted risk analysis is performed for each PCI requirement where the customized approach is used
• A2.1.2 (Only for organizations using SSL or early versions of TLS) – Risks associated with SSL/early TLS are managed

NIST CSF

• ID.RA, ID.RM, ID.RM-1 – Risks to the organization are managed
• ID.RA-5 – Threats, vulnerabilities, likelihood and impact are included in risk management activities
• ID.RA-6 – Risk responses are identified and prioritized
• ID.RM-2, ID.RM-3 – Risk tolerances are established and justified

NIST 800-53

• CA-7(4) – Include risk monitoring in ongoing monitoring
• PM-9 – Develop a risk management strategy
• PM-28 – Ensure risks are framed in context of the organization
• PM-29 – Ensure risk leadership roles are identified
• PM-30 – Implement a supply chain risk management strategy
• RA-3, RA-3(1), RA-3(2), RA-3(4) – Conduct a risk assessment
• RA-7 – Develop a risk response plan
• SA-9(1) – Conduct a risk assessment prior to engaging third parties

NIST 800-171

• 3.11.1 – Periodically assess risk to organizational operations
• 3.11.3 – Remediate identified vulnerabilities

HIPAA 

• 164.308(a)(1)(ii)(A) – Conduct an assessment of risks to the CIA of ePHI
• 164.308(a)(1)(ii)(B) – Implement a program to manage risks through mitigation strategies

CMMC

• RM.2.141, RM.3.144 – Periodically assess risk to organizational operations
• RM.2.143 – Remediate identified vulnerabilities
• RM.3.146 – Develop and implement risk mitigation plans
• RM.4.148 – Develop and implement a third-party risk management plan

COSO

• Principle 10. PoF-1 – Integrates control activities into risk assessments
• Principle 6. PoF-2, Principle 6. PoF-15 – Considers tolerances for risk
• Principle 7, Principle 7. PoF-4 – Identifies and analyzes risk
• Principle 7. PoF-5 – Identifies plans for responding to risk
• Principle 8 – Assesses fraud risk

23 NYCRR 500 (NYDFS)

• 23NYCRR500: 500.09 – Conduct a periodic risk assessment

CCPA

• No specific requirements; recommended as best practice

GDPR

• No specific requirements; however, risks to processing activities must be taken into consideration in defining operational activities

CIS Controls v8

• No specific requirements; however, specific requirements exist around vulnerability management and supplier risk management

Managing Cybersecurity Risk in CrossComply

It doesn’t take expensive consultancy fees to get started with good security policies and procedures today. By focusing on high-risk and sensitive information and systems, identifying potential threats, and prioritizing on data security and data protection, as well as making informed decisions based on your cybersecurity risk program, your organization can take steps to streamline and improve your cybersecurity and compliance programs.

AuditBoard’s CrossComply solution is designed to enable organizations to conduct cybersecurity risk assessments and effectively manage cybersecurity risk in today’s volatile risk landscape. CrossComply customers can learn how to perform the various necessary activities described above within AuditBoard — simply click here to log in and follow the “CrossComply Connection” prompts for additional guidance.

Interested in learning more about how AuditBoard can be used across your organization? Reach out to our team to schedule a product demonstration today!

Frequently Asked Questions About Cybersecurity Risk Assessments

What are the core components of cybersecurity risk management?

Cybersecurity risk management typically uses the same core components of more general risk management programs, including:

• Risk Identification – Identifying risks to cybersecurity assets and data processing environments.
• Risk Assessment –Assessing identified risks based on the organization’s environment(s), including the identification of inherent (initial) risk and residual (post-treatment) risk.
• Risk Treatment –Creating and implementing a plan to treat risks based on available resources and options, including transferring, avoiding, accepting, and mitigating risk.

What are the steps to Identifying Cybersecurity Risks?

Organizations can begin identifying cybersecurity risks by considering “what could go wrong” and what cyber threats face the organization.

How do you conduct a basic cyber risk assessment?

A cyber risk assessment should result in a list of findings and recommendations designed to identify threats and potential risks, and address them appropriately.

Using the shared principles of risk management, organizations can assess their information security risk posture by moving through the three relevant steps of risk identification, risk assessment, and risk treatment to build a cybersecurity risk management program.

###