It is smart to conduct risk assessments when attempting to find new providers. In highly regulated sectors, it is deemed mandatory. For instance, healthcare organizations are required to conduct risk assessments, as are the vendors that handle sensitive health records on their behalf.
When you conduct focused cybersecurity risk assessments of proposed new solutions, you want to be able to hand a detailed questionnaire to the potential provider. Typically the questions are derived from a template. As you look over various templates and consider your assessment process, here are some tips to help you collect key data without letting this important process become too unwieldy.
When you are ready to conduct an assessment, your intention is to determine any potential vulnerabilities in your network, figure out exactly how extensive the problems are, and gauge the protections that you have implemented presently; in turn, you can use the findings to quantifiably measure your overall risk.
Your assessment will not always be a comprehensive one of your systems, though; instead, you may be conducting a risk assessment prior to partnering with a new IT provider. Regardless of the overall scope of your analysis, a mitigation plan for any weaknesses should be a desired outcome of the process.
Human error is a huge issue in business today; add to that the growing issue of malicious employees, and you see why your own people are your chief concern. An Intel report from 2015 found that 43% of data breaches were caused by the insider threat.
It is important to make sure that the writers of your risk assessment template are credible. You can get templates from both the Information Systems Audit and Control Association (ISACA) and the National Institute of Standards and Technology (NIST). This ensures a strong foundation.
When you are looking for service providers, you want the ones that are using the most widely recognized standards. At the RSA Conference in April, Oracle Chief Security Officer Mary Ann Davidson noted this issue, warning that sometimes organizations will use standards that are anything but open – in fact, they’re false standards.
These nonstandard standards, she said, are created to make organizations think that they are seeing evidence the firm is following guidelines that represent the general industry viewpoint, when the certification may better represent the firm itself or the motivations of a third-party certifier.
You may find what you think is a solid framework with which to move forward. However, it is important (as with any IT security moves) to get senior management to support your efforts. Make sure you obtain a template or define a system that you think will work well. Then, try to get together with your organization’s leaders to talk about how to implement it and revise it in light of any concerns. When you discuss the risk assessment approach with senior management, clarify that you need their backing in order to proceed with the process.
Try framing risk in terms of finances if you want top executives to support you.
When organizations conduct risk assessments of third parties, they may have certain needs that are related to compliance. When that is the case, it helps for that to be communicated specifically, in which case the third party could potentially provide certification that meets the standards of that law or standard (providing due diligence through the legitimacy of an independent auditing agency), as with Statement on Standards for Attestation Engagements 18 (SSAE 18) auditing.
Davidson noted that many organizations seeking to meet compliance standards may find stipulations they may want to collectively challenge as unreasonable or ambiguous. Regardless of any debate over how certain provisions are stated, it is mandatory under HIPAA that all organizations coming into contact with PHI must conduct regular (see below) risk assessments related to that data.
As Andreas Rivera of Business.com indicated, risk assessments “should be a routine process, no matter how big you are or what industry you are in.” While small businesses may think they are free of concern with hacking, Rivera pointed out that intruders often target small and medium-sized businesses, either because they are targeting low-hanging fruit or because they want to use the small company as a bridge to a larger one with which they partner.
Monitoring and analysis of your security systems should be an ongoing process. A thorough info-security risk assessment is both time consuming and distracting though, so many firms wonder how often they must be performed. According to the ISACA, every business should perform a comprehensive assessment at least once every two years.
Risk assessment is a security best practice whether you are in a regulated industry that requires regular ones or not. By using the above advice, you can get the most out of the process, using your findings to mitigate vulnerabilities and reduce the likelihood of a breach – while clarifying and guiding new vendor selection.