Getting the Most Value from Your Information Security Risk Assessment

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

Just like technology, we have seen information security risk assessments evolve over time. Initially, risk assessments were focused on the core system as the main repository of customer data, as well as paper documents and PCs. However, financial institutions continue to use new technologies to store or process customer data, such as the cloud and mobile devices. Risk assessments must evolve along with technology to ensure that the threats and vulnerabilities associated with each information asset are properly identified and mitigated.
Many financial institutions began the risk assessment process with threat-based risk assessments, but have now moved to asset-based risk assessments or a hybrid of the two types. We do however still see some financial institutions using only a threat-based risk assessment. The use of a threat-based risk assessment alone does not provide the same value as the use of an asset-based risk assessment. This article will describe the differences between the two types of risk assessments and the benefits of using an asset-based risk assessment.
Threat-Based Risk Assessment
A threat-based risk assessment starts with the identification of a threat, such as “Inadequate Logical Access Controls.” An inherent risk rating is assigned, mitigating controls are identified, and a residual risk rating is then assigned. Does this threat only apply to the core system or does it also apply to files stored on the file server which also contain customer data? Are the mitigating controls the same for all of the institution’s information systems or are there different controls for the core system and the file server? During a review of a threat-based risk assessment, it can be difficult for directors, auditors, and examiners to verify that all of the institution’s information assets were evaluated during the risk assessment process. It can also be difficult for the information security officer to update a threat-based risk assessment when a new information asset is introduced into the institution’s environment.
Asset-Based Risk Assessment
In contrast, an asset-based risk assessment fixes these problems by identifying the specific threats/vulnerabilities and mitigating controls that are applicable to each information asset.
The asset-based risk assessment development process consists of the following steps:

  1. Obtain an inventory of all of the assets that store or process non-public information. (Assets may include, but are not limited to, paper documents, servers, workstations, network devices, removable storage devices, and software applications.)
  2. Classify the data that the asset stores or processes.
  3. Identify threats and vulnerabilities.
  4. Identify the likelihood of occurrence and impact rating for each threat and vulnerability.
  5. Assign an inherent risk rating.
  6. Identify the controls in place to mitigate each threat and vulnerability.
  7. Assign a residual risk rating based on the mitigating controls.
  8. If the residual risk rating exceeds the institution’s risk appetite, identify additional mitigating controls to implement.

During the risk assessment development process, it is important to ensure that enough time is spent identifying all of the reasonably foreseeable threats for each asset. Otherwise, the effectiveness of the selected mitigating controls will not be properly evaluated.

During the risk assessment development process, it is important to ensure that enough time is spent identifying all of the reasonably foreseeable threats for each asset. Otherwise, the effectiveness of the selected mitigating controls will not be properly evaluated.

Some examples of reasonably foreseeable threats include:

  • Unauthorized Physical Access
  • Unauthorized Logical Access
  • Man-made/Environmental/Natural Disaster
  • User Error
  • Social Engineering
  • Malicious Code
  • Hardware Failure
  • Service Provider Issues

Some examples of mitigating controls include:

  • Antivirus
  • Data Backup
  • Encryption
  • End of Life Management
  • Asset Disposal Procedures
  • Multifactor Authentication
  • Physical Security
  • Environmental Controls
  • Firewalls
  • Patch Management
  • Policies
  • Monitoring Procedures
  • Vendor Management

The image below identifies the typical format for an asset-based risk assessment.

Benefits of an Asset-Based Risk Assessment

  • Provides a more detailed view of the institution’s environment. By identifying each asset that stores or processes non-public information, directors and outsiders can gain significant visibility into the complexity of the institution’s environment, including vendor-hosted assets.
  • Clearly documents the assets that were evaluated. Directors, auditors, and examiners can easily see that each of the institution’s assets was considered.
  • Includes a lower risk for errors. By assessing the threats/vulnerabilities and mitigating controls associated with each specific asset, there is less of a chance that assumptions will be made about the mitigating controls for a specific asset.
  • Is easier to update. If a new asset is introduced into the institution’s environment, a new line item is created in the risk assessment to identify the threats/vulnerabilities and mitigating controls associated with the new asset. In addition, if a threat intelligence source identifies a new threat, it is relatively simple to identify which asset(s) the threat applies to and to document the implementation of new mitigating controls.
  • Assists with audit scoping. Rather than performing a full-scope IT audit each year, management can focus audits on the highest risk assets or most critical controls.

Conclusion
While it may take some time to transition from a threat-based risk assessment to an asset-based risk assessment, the data obtained from an asset-based risk assessment will generally be more valuable to the institution by providing better visibility of current control deficiencies, simplification of updates, and more focused audits.
For more information on this article, or to find out more information on how Young & Associates, Inc. can assist your financial institution, contact Mike Detrow at mdetrow@younginc.com or 330.422.3447.