Conducting Cybersecurity Risk Assessments Guide: The Complete Introduction

Cybersecurity risk assessments are a means for organizations to assess risks to their information assets and are a core requirement of most cybersecurity frameworks. However, specific guidance on how to conduct these assessments is typically not included in framework requirements. This is often by design, as the intent is to encourage organizations to build a risk management program that is unique to the type of business being conducted and the type(s) of data being processed. But this often leaves organizations in a position where there is little certainty about where to start. 

This Cybersecurity Risk Assessment Guide provides specific guidance on how organizations may choose to build a cybersecurity risk management program that will ensure compliance with commonly-used cybersecurity frameworks. It includes:

1. A process flow for building and manage a cybersecurity risk management program. 
2. Steps to identify cybersecurity risks with key activities and questions to ask.
3. Assessing cybersecurity risks with a step-by-step overview for conducting basic risk assessments and advancing your risk assessment sophistication over time. 
4. Treating cybersecurity risks by choosing the most appropriate method for your organization.
5. Key considerations when building meaningful cybersecurity risk reporting.
6. Common cybersecurity frameworks and their specific requirements around risk management, including SOC 2, ISO 27001, PCI 4.0, NIST CSF, and more

CrossComply customers can go a step further to learn how to perform the various necessary activities described below within AuditBoard — simply click here to log in and follow the “CrossComply Connection” prompts for additional guidance. 

What Are the Principles of Cybersecurity Risk Management?

Cybersecurity risk management typically uses the same core components of more general risk management programs, including:

• Risk Identification – Identifying risks to cybersecurity assets and data processing environments.
• Risk Assessment –Assessing identified risks based on the organization’s environment(s), including the identification of inherent (initial) risk and residual (post-treatment) risk.
• Risk Treatment –Creating and implementing a plan to treat risks based on available resources and options, including transferring, avoiding, accepting, and mitigating risk.

Using these shared principles also provides an organization with the opportunity to include cybersecurity risk management as a subset or component of its Enterprise Risk Management (ERM) program, which is a common best practice.

How Do You Build and Manage a Cybersecurity Risk Management Program?

Using the shared principles of risk management, organizations should start by moving through the three relevant steps of risk identification, risk assessment, and risk treatment to build a cybersecurity risk management program.

The process flow below provides one means of creating and managing a cybersecurity risk management program and can be useful for organizations when first getting started.

Identifying Cybersecurity Risks

Risk identification is the process of identifying risks to the organization’s information assets. This is an iterative process and new risks will be identified over time. However, it is important for the organization to identify as many risks as possible to build an initial list of these risks, which is commonly known as a risk register.

Prior to identifying cybersecurity risks, organizations may want to consider the scope of any compliance programs to be included in the risk assessment process. This is a useful means of limiting efforts to identify risks initially to any areas that are specifically governed by one or more compliance programs. However, it is important for organizations to ultimately identify cybersecurity risks throughout the entire organization to ensure the best possible cybersecurity risk management program.

Identifying cybersecurity risks can seem like a difficult process, as there are potentially an endless number of risks to the organization. However, the following considerations can help to identify an initial risk register:

• Data Classification – Identifying the types of data being handled by the organization and classifying it based on sensitivity and/or importance to the organization.
• Data Processing Scope – Identifying the specific assets, processing environments, and storage environments in which each type of data is handled.
• Relevant Third Parties – Identifying vendors and other third parties involved in data processing activities.
• Specific Framework Requirements – Identifying specific risk management requirements of any frameworks in scope for the cybersecurity risk management program.

Risks Versus Vulnerabilities and Issues

It is important to understand the difference between risks and vulnerabilities or issues. Generally, risks to the organization are ongoing, but the likelihood and impact of the risk will change over time based on several factors. Vulnerabilities and issues are generally temporary and are ideally remediated to remove the risk to the organization that they represent. However, most vulnerabilities and issues represent a temporary manifestation of a risk and therefore should be factored into the assessment process whenever they occur and until they are remediated (see Assessing Cybersecurity Risks below).

Risk Identification Activities and Key Questions

Using the above considerations, the list and table below provide some examples of activities and key questions to ask to identify cybersecurity risks to the organization. 

• Data Classification Exercise: Do we know the types of data being processed? 
  • Identified Risk: Cybersecurity Context Not Established
• Data Classification Exercise: Do we process data types governed by regulations or mandates?
  • Identified Risk: Regulatory and Mandate Compliance
• Data Classification Exercise: Do we process data types that could cause harm to the organization if inadvertently disclosed?
  • Identified Risk: Data Breach
• Data Classification Exercise: Would the organization’s reputation be harmed by a data breach?
  • Identified Risk: Reputational Harm
• Data Classification Exercise: Would the organization face financial penalties due to a data breach?
  • Identified Risk: Fines for Non-Compliance/Financial Sanctions
• Business Continuity Planning: Can we continue business operations in the event of unavailability of facilities?
  • Identified Risk: Business Operation Cessation
• Disaster Recovery Planning: Are we able to ensure the continuous availability of information processing environments?
  • Identified Risk: Critical Application Availability
• Security Incident Response: Can the organization effectively respond to security incidents?
  • Identified Risk: Ineffective Security Incident Response
• Processing Integrity: Do systems process data consistently and without errors?
  • Identified Risk: Data Processing Errors
• Vulnerability Management: Do we identify vulnerabilities in IT networks and systems?
  • Identified Risk: Unidentified System Vulnerabilities
• Configuration Standardization: Have we established standard configurations based on specific technology types?
  • Identified Risk: Inconsistent System Configurations
• Access Control: Have we established policies and processes to restrict access to organization data based on role?
  • Identified Risk: Inappropriate Access to Systems or Data

Assessing Cybersecurity Risks

Once a risk register has been established, organizations must assess each risk individually. Risk assessments should be conducted on an ongoing basis — at least annually — to comply with most cybersecurity framework requirements. Additionally, it’s important for organizations to consider both inherent and residual risk.

• Inherent Risk – Level of risk prior to taking into consideration any mitigating factors like controls. Alternatively, the current level of risk (including current mitigating factors) but prior to any additional mitigation efforts.
• Residual Risk – Level of risk after implementing mitigation strategies such as implementing controls and/or additional treatment options (see Treating Cybersecurity Risks below).

Conducting Basic Risk Assessments

There are numerous ways to conduct a cybersecurity risk assessment and organizations can mature their process over time to consider additional inputs in the assessment process (see Advancing Risk Assessments Over Time below). The methodology below aligns to functionality included in CrossComply. It is a means of conducting basic risk assessments that will meet the requirements of most commonly-used cybersecurity frameworks.

To determine the calculation used to assess cybersecurity risks, an organization must determine what considerations or factors will be included in the assessment. Two of the most commonly-used scoring factors are Likelihood and Impact. AuditBoard’s CrossComply solution also uses Strength of Controls to determine residual risk.

• Likelihood – what is the likelihood that a risk will manifest?
• Impact – if the risk manifests, what will the impact be to the organization?
• Strength of Controls – how does the strength of the organization’s controls impact residual risk?

Additional scoring considerations used in AuditBoard’s CrossComply solution include what is known as the CIA Triad (NIST SP 800-16):

• Confidentiality – the assurance that information is not disclosed to unauthorized individuals or processes.
• Integrity – the quality of an IT system that reflects the logical correctness and reliability of the operating system; the logical completeness of the hardware and software that implements the protection mechanisms; and the consistency of the data structures and occurrence of the stored data.
• Availability – the timely, reliable access to data and information services for authorized users.

The CIA Triad is used to determine the overall likelihood and impact of each risk for both inherent and residual risk. Scores are calculated by using the following considerations:

Overall Impact

Score the significance of impact of one severe, realistic event within a year (a realistic rather than a black swan event) that would lead to security risk manifesting. Significance of impact score is determined by combining the scores of the following three factors — Confidentiality, Integrity, and Availability — each of which is assessed independently.

Overall Impact - Scoring Scale:

1. Very Low (1)
2. Low (2)
3. Moderate (3) 
4. High (4)
5. Very High (5)

Overall Likelihood

Likelihood is the anticipated frequency of a security risk manifesting, within a year, regardless of amount (disregarding significance of impact). Anticipated frequency of a security risk is determined based on the probability that a risk will manifest in any given year in the absence of controls.

Overall Likelihood – Scoring Scale:

1. Rare (1). Once a year (or less); or Rare (0-10%)
2. Unlikely (2). Once a month; or Unlikely (10-25%)
3. Possible (3). Once a week; Possible (26-50%)
4. Likely (4). Multiple times a week but less than daily; Likely (51 - 75%)
5. Certain (5). Daily or multiple times a day; Certain (>75%)

Strength of Controls 

Determine the strength of the control environment. The control environment is broken down by various types of preventive and detective measures. The strength of the controls can be directly influenced by the business and can be improved with increased attention in these areas. Assign a controls rating of 1 to 5 based upon the following criteria.

Strength of Controls – Scoring Scale:

1. Inadequate (1). No Policies & Procedures. No Training. No Automated Controls. No manual controls. Risks are not controlled. Testing or audits have NOT been performed or if performed results indicate inadequate controls.
2. Weak (2). Adequate Policies & Procedures exists. Weak reliance on automated controls. Effective Manual controls are in place low reliance on monitoring controls. Testing or audits are performed with results indicating controls adequately protect the company from risk. Minor observations noted with several Process Improvement Opportunities noted.
3. Adequate (3). Adequate Policies & Procedures exists. Moderate reliance on Automated controls. Effective manual controls are in place low reliance on monitoring controls. Testing or audits are performed with results indicating controls adequately protect the company from risk. Minor observations noted with several Process Improvement Opportunities noted. 
4. Effective (4). Adequate Policies & Procedures exists. Automated controls are in place. Effective Manual controls are in place. Moderate reliance on monitoring controls. Testing or audits are performed with results indicating controls adequately protect the company from risk. Observations noted are centered in Process Improvement Opportunities noted.
5. Strong (5). Adequate Policies & Procedures exists. Automated controls are in place. Effective manual controls are in place. Effective reliance on monitoring controls. Testing or audits are performed with results indicating controls adequately protect the company from risk with no observations.

Using the scales and scoring factors above, overall risk scores can be calculated for each risk. Again, both residual and inherent risk scoring should be performed for each risk. A summary of the calculation used to arrive at the overall risk score is shown below.

Sample Risk Assessment Calculation

Using the above calculation methodology, a sample risk assessment is performed below.

Advancing Risk Assessments Over Time

Like enterprise risk management, cybersecurity risk management is an iterative process and should be continuously evaluated for opportunities for improvement. However, it’s important for organizations getting started with risk management to focus on what’s required to ensure compliance with applicable cybersecurity frameworks. In other words, don’t let perfection be the enemy of progress. Risk is more art than science, and organizations will develop the skill to be able to more easily identify, manage, and remediate risk over time.

Additional scoring factors that can be implemented into risk scoring over time include:

• Risk Velocity – how quickly will the risk affect the organization? This can be expressed qualitatively (i.e., Low, Medium, High) or quantitatively (i.e., <1 month, <6 months).
• Open Vulnerabilities – do unremediated vulnerabilities exist in the organization? Generally, the higher the number of unremediated vulnerabilities, the higher the risk to the organization.
• Asset Classification – do certain assets inherently represent more risk to the organization? This is useful in an asset-based approach to cybersecurity risk management, and considers the sensitivity of data being processed by an asset and its general accessibility, among other factors.
• Threats – what are the components that go into deciding scoring factors? Threats are a useful means of reducing the subjectivity of risk scoring by introducing another level to risk calculations. Threats become subsets of risks and each threat is scored uniquely, with risk scoring being derived from the average of related risks.

Treating Cybersecurity Risks

Organizations have multiple options for treating risks, and should choose the option that is the most effective at reducing/eliminating the risk to the organization. Common treatment options include: 

• Accept – The organization has decided that the risk to the organization is minimal and/or further mitigation options are not available. Accepted risks should be reassessed periodically to ensure that the associated risk level has not increased beyond acceptable levels.
• Avoid – The organization has determined that the activity or activities causing the risk to the organization is not an essential business function and can be stopped. 
• Transfer – The organization has determined that the risk can be transferred to a third party without increasing risk to the organization. Ideally, risks are transferred to third parties with the ability to reduce the risk to the organization. Transferred risks should be reassessed periodically to ensure that the associated risk level with the third party has not increased beyond acceptable levels.
• Mitigate – The organization has determined that steps can be taken to reduce the risk to the organization, including the implementation of mitigating controls. Mitigated risks should be reassessed upon implementation of remediation plans to ensure an acceptable reduction in the level of risk.

Key Considerations for Meaningful Cybersecurity Risk Reporting

Risk reporting is a crucial component of any cybersecurity risk management program. Awareness of risks to the organization and active participation in reducing those risks is essential across the entire organization. Regular and meaningful reporting is one of the best ways to ensure such awareness and participation.

To ensure meaningful reporting, there are some key considerations that can be included when building cybersecurity risk reporting:

• Defined Scale – Use a defined scale for scoring. Ideally, the scale should align with other risk management activities in the organization. Additionally, visual cues like “stoplight” color schemes can help to ensure easy understanding.
• Compliance Alignment – Do one or more risks impact compliance with applicable frameworks or regulations? This is vital information to include, especially if the impact can affect upcoming compliance audits or assessments. 
• Frequency of Assessments – Risk management is an iterative process and should be evolved over time, and it is crucial to conduct risk assessments as frequently as is practical. Risks to the organization change over time and as influences on risk change, the level of risk changes. Frequent risk assessments can capture these changes as they occur. Organizations should work toward increasing assessment frequencies as their risk management processes mature. This data can be incorporated into reporting via risk trending and other analyses that look at risk over time.
• Risk Scoring Inputs – Include definitions of how risk scoring was derived. Specific considerations like scoring factors, relevant threats, and other inputs to risk scores can instill greater confidence in how risk assessments are performed.
• Treatment Decisions – This is essential information to include for executive- and board-level reporting to ensure alignment with decisions around risk. Should treatment decisions change, leadership must agree with such changes.
• Risk Remediation – This is another vital area to include in risk reporting. A list of open remediation activities should be included in all risk reporting and regular follow-up reporting should be provided to all levels of stakeholders. This ensures that remediation activities are top-of-mind for the entire organization and holds stakeholders accountable for performing the activities they own.
• Reporting Levels – The most effective approach to risk reporting is to consider the fact that you have different stakeholders with different levels of involvement in your cybersecurity risk management program. Assuming that all stakeholders will find the same message useful can lead to less involvement in risk management. Therefore, it’s important to look at the different audiences within the organization and consider specific reporting that is relevant to each group. For example, tactical teams like network operations and system administrators will be more interested in the work that they need to do. Topics like risk treatment options may not be as useful for such groups. Focused reporting based on the specific activities being performed by a given group can ensure that unnecessary “noise” is not included in reporting.

Overview of Cybersecurity Framework Requirements

While most cybersecurity frameworks align at a high level with what is required around risk management, it’s important to understand that there are some differences in the level of detail in what is required. The table below lists common cybersecurity frameworks and the specific requirements around risk management included in each.

SOC 2

• CC3.1 - Includes risk tolerance considerations in operations
• CC3.2 - Includes the following in risk management:
  • Risk at relevant levels of the organization
  • Internal and external factors affecting risk
  • Involves appropriate levels of management
  • Estimates significance of risks (risk scoring)
  • Risk treatment decisions (see Treating Cybersecurity Risks)
• CC3.3 - Includes potential for fraud in risk assessments
• CC5.1 - Control implementation is used for risk mitigation
• CC9.1 - Considers the following related to business disruption:
  • Performs business continuity/disaster recovery planning
  • Considers insurance to mitigate financial risk
• CC9.2 - Includes management of third-party risk

PCI 4.0

• 12.3 - Risk management program for the Cardholder Data Environment (CDE)
• 12.3.1 - Targeted risk analysis is performed for each PCI requirement that allows variability 
• 12.3.2 - Targeted risk analysis is performed for each PCI requirement where the customized approach is used
• A2.1.2 (Only for organizations using SSL or early versions of TLS) - Risks associated with SSL/early TLS are managed

NIST CSF

• ID.RA, ID.RM, ID.RM-1 - Risks to the organization are managed
• ID.RA-5 - Threats, vulnerabilities, likelihood and impact are included in risk management activities
• ID.RA-6 - Risk responses are identified and prioritized
• ID.RM-2, ID.RM-3 - Risk tolerances are established and justified

NIST 800-53

• CA-7(4) - Include risk monitoring in ongoing monitoring
• PM-9 - Develop a risk management strategy
• PM-28 - Ensure risks are framed in context of the organization
• PM-29 - Ensure risk leadership roles are identified
• PM-30 - Implement a supply chain risk management strategy
• RA-3, RA-3(1), RA-3(2), RA-3(4) - Conduct a risk assessment
• RA-7 - Develop a risk response plan
• SA-9(1) - Conduct a risk assessment prior to engaging third parties

NIST 800-171

• 3.11.1 - Periodically assess risk to organizational operations
• 3.11.3 - Remediate identified vulnerabilities

HIPAA 

• 164.308(a)(1)(ii)(A) - Conduct an assessment of risks to the CIA of ePHI
• 164.308(a)(1)(ii)(B) - Implement a program to manage risks through mitigation strategies

CMMC

• RM.2.141, RM.3.144 - Periodically assess risk to organizational operations
• RM.2.143 - Remediate identified vulnerabilities
• RM.3.146 - Develop and implement risk mitigation plans
• RM.4.148 - Develop and implement a third-party risk management plan

COSO

• Principle 10. PoF-1 - Integrates control activities into risk assessments
• Principle 6. PoF-2, Principle 6. PoF-15 - Considers tolerances for risk
• Principle 7, Principle 7. PoF-4 - Identifies and analyzes risk
• Principle 7. PoF-5 - Identifies plans for responding to risk
• Principle 8 - Assesses fraud risk

23 NYCRR 500 (NYDFS)

• 23NYCRR500: 500.09 - Conduct a periodic risk assessment

CCPA

• No specific requirements; recommended as best practice

GDPR

• No specific requirements; however, risks to processing activities must be taken into consideration in defining operational activities

CIS Controls v8

• No specific requirements; however, specific requirements exist around vulnerability management and supplier risk management

Managing Cybersecurity Risk in CrossComply

AuditBoard’s CrossComply solution is designed to enable organizations to conduct cybersecurity risk assessments and effectively manage cybersecurity risk in today’s volatile risk landscape. CrossComply customers can learn how to perform the various necessary activities described above within AuditBoard — simply click here to log in and follow the “CrossComply Connection” prompts for additional guidance.

Interested in learning more about how AuditBoard can be used across your organization? Reach out to our team to schedule a product demonstration today!