We often get calls to do diagnostic testing of some sort – Vulnerability Testing, Penetration Testing, Web Application Testing; these are all very good and should be done at least annually or more often, if the environment is undergoing changes – What about a Risk Assessment? Why do them, and what’s the correlation between the Risk Assessment and the various forms of diagnostic testing?
A Risk Assessment helps you to identify the risks associated with IT assets. It helps you to quantify the risk if a particular asset gets breached, goes down, etc.
For example, organizations commonly identify key impact areas as cost, profit goals, uptime goals, growth goals, or compliance with security standards. Impact ratings could be described in terms of cost, as below:
|Insignificant||$0 – $10,000|
|Significant||$10,000 – $100,000|
|Non-Material||$100,000 – $250,000|
|Material||$250,000 – $1,000,000|
|Critical||$1,000,000 and over|
Diagnostic testing, a testing of the controls in place, results in findings that are fed into a cyber security risk assessment by pairing the vulnerabilities found, with the information assets. Control gaps will be identified and noted. Recommended controls will be identified and documented that, if implemented, would reduce the risk or impact to the organization.
The control recommendations are the results of the risk assessment and provide input to the risk treatment process during which the recommended procedural and technical security controls are evaluated, prioritized, and agreed to by stakeholders and executive management.
A nice feature coming out of all of this, is the communication between IT and executive management is supported. When IT is requesting funding to put a control in place, everyone is on the same page as to how that control may help mitigate risk to the organization as a whole.
Sr. Account Executive