Highlights of the March 22, 2023, HBK Risk Advisory Services webinar hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director
Watch On Demand.
The webinar opens by defining terms associated with risk assessment:
Risk – the combination of the probability of an event and its consequence (Risk is not necessarily bad, as taking a risk can produce a positive risk outcome.
Asset – something of either tangible or intangible value (e.g., your company’s reputation, or the money in your bank account) that is worth protecting
Threat – something that can act against an asset in a manner than can cause harm
Vulnerability – a weakness in the design, implementation, operation, or internal control of a process that could expose the system to adverse threats from threat events (One of the weakest links in any business is their employees.)
Residual risk – remaining risk after the implementation of a risk response (You can’t protect against all risks.)
Inherent risk – the level of risk present without taking into account the actions that were or could be taken for mitigation
Why do a risk assessment?
To satisfy a regulatory requirement
To reduce operational risk: You need to understand what your risks are.
To improve safety performance
To improve the probably of achieving organizational objectives
Steps to take if you decide to do a risk assessment (ISO 27001 steps)
Establish a framework
Conduct assessments at regular intervals.
Make sure your process is consistent so you can repeat it.
Retain documentation regarding the process.
In order to establish baseline security criteria
There are two approaches to assessments: asset based – more logical approach and scenario based
Build an asset-based register: Compile an asset inventory list (desktops, laptops, printers, etc.) and include each asset’s owner and risk owner.
Identify the risks: add threats and vulnerabilities for each inventory item.
Analyze risk: determine risk appetite and scale and do a calculation, which is: risk equals impact multiplied by likelihood.
Evaluate risks: the number on the scale that refers to the level of damage that can be done gives you a picture of what needs to be addressed.
Put controls in place:
Security awareness training
Security log monitoring
Two biggest steps to stay ahead of hackers: Make sure you train your employees and patch your systems.
Apply Risk Management Options
Risk reduction: implement controls or countermeasures to reduce the likelihood or impact of a risk to acceptable levels. Keep in mind that you will not be able to get to zero risk.
Risk avoidance: implement controls or countermeasures to reduce the likelihood or impact of a risk to acceptable levels.
Risk transfer or sharing of avoidance: contract with a third party to share risk via a contractual agreement, or buy a cybersecurity insurance policy (carriers want risk assessments).
Risk acceptance: assume the risk and plan to absorb the loss, if the risk is within tolerance or the cost of the mitigation is more than the potential loss.
What action should you take?
Develop a risk assessment policy, a game plan that requires an annual assessment.
Build your asset register.
Determine your threats and vulnerabilities. Consult information that keeps tabs on current threats.
Conduct your risk assessment.
Risk treatment plan: put controls in place to mitigate your most vulnerable risks as much as possible.