No one’s immune to a data breach. But just how vulnerable are you?
- A risk assessment involves four key best practices: get the right people involved, choose a methodology, prioritize threats, and continually update your assessments
- People, process, and technology are the three main risk factors, and all must be addressed
- When it comes to staying vigilant and keeping on top of the latest threats, technologies, mitigation techniques, and best practices, you can’t do too much
When it comes to information security, taking a hard look at your institutional risk may not be easy. But it’s a critical step toward keeping your campus safe.
So what does a risk assessment even look like? What and who are involved? And what are the end goals?
Following are some best practices to help you understand and get started on this valuable endeavor.
- Get the right people in the room
While IT may lead the charge, your assessment will only have the necessary weight and impact if you engage a range of stakeholders. That’s because, in addition to technology, people and processes are significant risk factors.
Stakeholders to engage include:
- Executives: Institutional leaders must set the tone that security involves everyone and that it’s okay to have a frank and honest discussion about possible weaknesses. Executive buy-in will also be crucial once the assessment is complete, and you need to garner adequate resources to address vulnerabilities.
- Department heads: In addition to providing access to systems and data, department heads must share ownership for any risks identified. That could mean overseeing changes to address threats or, if that’s not possible, assuming and planning for an acceptable level of risk.
- Finance, HR, and Legal: Because you’ll be assessing policies and procedures that govern the use of personal and financial data across all departments, having representatives from finance, HR, and legal involved at every stage is a must.
- External auditors: If you have the resources, you may consider hiring an external company to assess or audit your security risk. In addition to identifying technical vulnerabilities, expert auditors can also evaluate your risk of non-compliance with specific data privacy or usage guidelines. Since the latter can result in heavy fines or reputational damage, the investment may be worth it.
It’s also important to include vendor partners and their systems in your assessment. If there are third parties sharing or storing your data, their vulnerabilities might as well be your own.
- Choose a methodology
There are many methodologies for conducting a risk assessment. Some are open source, some are proprietary, but all aim to answer the same basic questions:
- What assets do we need to protect?
- Who/what poses a threat to those assets?
- What would the impact be if those assets were stolen, damaged, or lost?
- What needs to happen in order to minimize our risk?
A good starting place for colleges and universities is the assessment tool created by the EDUCAUSE Cybersecurity Initiative and the Higher Education Information Security Council. It contains 101 questions designed to gauge the maturity of your information security program in areas such as policies and procedures, asset management, data access controls, education, supplier relationships, incident management, and physical and environmental security.
Regardless of which methodology you choose, know that the assessment may force your institution to make some hard choices. That’s because the activities you identify as necessary to mitigate risk may cost time or money you don’t have. It then becomes important to prioritize.
- Prioritize threats
Not every threat is equally likely to occur, nor will they all have the same level of impact on the institution. If you have limited resources, or are creating a timeline, it can help to locate threats on a map of likelihood vs. impact, so you can begin to prioritize.
The map below shows what this might look like for a sample institution. In the upper right hand corner, the red zone, the institution has listed “credentials for privileged accounts being shared too broadly”—which is highly likely to cause significant impact. Maybe administrator passwords are being shared among multiple users or they are being left unchanged when new staff replace old. Regardless, inadequate control over access and identity rights is a threat the institution must address immediately.
Closer to the center, in the yellow zone, the institution has listed “No due diligence process for 3rd party vendors.” Because there is no known imminent threat, the priority may be slightly lower. But, if the institution’s data were to be compromised due to a partner’s data breach, the impact would still be high. So any delay in addressing this threat implies an acceptance of risk. A map like this helps institutional leaders understand the tradeoffs, so they can have meaningful discussions about their tolerance for risk and allocation of resources.
When discussing possible outcomes, keep in mind that impact can be financial, reputational, operational or all of the above. For example, there may be instances where the monetary cost would be minor, but the hit to the institution’s reputation insurmountable. Again, the purpose of the assessment is to help leaders weigh all of the variables.
- Make assessments ongoing
Because there are so many factors that impact security—not the least of which is rapidly evolving threats—it’s not enough to conduct a single assessment.
Choose a schedule for regularly updating your assessment, whether annual, quarterly, etc. Internal self-assessments should be relatively frequent, while external auditors might be scheduled less often or for specific purposes.
It’s also a good idea to engage regularly with peers and industry workgroups. Staying on top of the latest threats, mitigation techniques, technologies, and best practices is often too much for one institution. Attend cybersecurity events, take advantage of the Higher Education Information Security Council (HEISC)’s extensive online resources, and pay attention to what’s happening in other fields, such as government or healthcare.
When it comes to staying vigilant and ongoing learning, you can’t do too much.
Once you’ve conducted a thorough risk assessment and set institutional priorities, the next step is to create an information security plan. In the next blog, I’ll cover the elements of an effective plan, including everything from technology to incident response to education.
Read our complete infosec blog series.