For many organizations, the best approach may be to pursue an internal cyber-security risk assessment. The company developed a five-step plan to help organizations lay the foundation for a meaningful security strategy. These steps, the company said, are ideal for organizations requiring simple guidance on getting started.
1. Identify information assets. Consider the primary types of information that the organization handles (e.g., Social Security numbers, payment card numbers, patient records, designs, human resources data), and make a priority list of what needs to be protected. As a guide, plan to spend no more than one to two hours on this step.
3. Classify information assets. Assign a rating to your information asset list. Consider a 1-5 scale, with the following categories:
1 - Public information (e.g., marketing campaigns, contact information, finalized financial reports, etc.)
2 - Internal, but not secret, information (e.g., phone lists, organizational charts, office policies, etc.)
3 - Sensitive internal information (e.g., business plans, strategic initiatives, items subject to nondisclosure agreements, etc.)
4 - Compartmentalized internal information (e.g., compensation information, layoff plans, etc.)
5 - Regulated information (e.g., patient data, classified information, etc.)
This classification scheme lets organizations rank information assets based on the amount of harm that would be caused if the information was disclosed or altered. The team should strive to be realistic here, and aim for consensus.
4. Conduct a threat modeling exercise. Rate the threats that top-rated information assets face. One option is to use Microsoft's STRIDE method, which is simple, clear and covers most of the top threats.
STRIDE:
Spoofing of Identity
Tampering with Data
Repudiation of Transactions
Information Disclosure
Denial of Service
Elevation of Privilege
It is also worth considering using an outside consultant with experience in this area to facilitate conversation. Develop a spreadsheet for each asset, listing the STRIDE categories on the X axis. On the Y axis, list the data locations identified in Step 2. For each cell, make estimates of the following:
- the probability of this threat actually being carried out against this asset at the location in question
- the impact that a successful exploitation of a weakness would have on the organization
5. Finalize data and start planning. Multiply all the cells in each of the worksheets by the classification rating assigned to the asset in Step 3. The result is a rational and comprehensive ranking of threats to the organization. It includes both the importance of the assets at stake and a broad spectrum of possible contingencies. A reasonable
security plan will start tackling the risks identified with the highest numbers.
Many organizations set thresholds as follows:
1-250: Will not focus on threats at this level
250-350: Will focus on these threats as time and budget allow
350-450: Will address these threats by the end of the next budget year
450-500: Will focus immediate attention on these threats
These thresholds are just examples, and in practice, the results will likely be skewed either toward the top or bottom of the scale, so organizations should adjust responses accordingly.
The goal of the risk assessment exercise is to lay a foundation for sensible security planning. Going through a risk assessment exercise alone will not actually fix security problems; the real work -- building protective, risk-reducing solutions -- still lies ahead.
Organizations should align security spending with specific threats and focus on cost-effective measures, CDW-G said. Having a prioritized list of threats enables organizations to focus their efforts on the areas that matter most and avoid spending on security technologies or activities that are less essential or irrelevant to fixing identified problems.
