5 Steps to Cyber-Security Risk Assessment

Many organizations suffer "security paralysis," a condition in which it is impossible to prioritize areas for remediation due to limited resources. Others attempt to apply a set of best practices in the hope that what worked for another organization will work for them. Neither of these approaches is a rational strategy for protecting information assets or maximizing the value returned from investments in security, according to IT solutions provider CDW-G.

For many organizations, the best approach may be to pursue an internal cyber-security risk assessment. The company developed a five-step plan to help organizations lay the foundation for a meaningful security strategy. These steps, the company said, are ideal for organizations requiring simple guidance on getting started.

1. Identify information assets. Consider the primary types of information that the organization handles (e.g., Social Security numbers, payment card numbers, patient records, designs, human resources data), and make a priority list of what needs to be protected. As a guide, plan to spend no more than one to two hours on this step.
2. Locate information assets. Identify and list where each item on the information asset list resides within the organization (e.g., file servers, workstations, laptops, removable media, PDAs and phones, databases).
3. Classify information assets. Assign a rating to your information asset list. Consider a 1-5 scale, with the following categories:
1 - Public information (e.g., marketing campaigns, contact information, finalized financial reports, etc.)
2 - Internal, but not secret, information (e.g., phone lists, organizational charts, office policies, etc.)
3 - Sensitive internal information (e.g., business plans, strategic initiatives, items subject to nondisclosure agreements, etc.)
4 - Compartmentalized internal information (e.g., compensation information, layoff plans, etc.)
5 - Regulated information (e.g., patient data, classified information, etc.)

This classification scheme lets organizations rank information assets based on the amount of harm that would be caused if the information was disclosed or altered. The team should strive to be realistic here, and aim for consensus.

4. Conduct a threat modeling exercise. Rate the threats that top-rated information assets face. One option is to use Microsoft's STRIDE method, which is simple, clear and covers most of the top threats.
STRIDE:
Spoofing of Identity
Tampering with Data
Repudiation of Transactions
Information Disclosure
Denial of Service
Elevation of Privilege

It is also worth considering using an outside consultant with experience in this area to facilitate conversation. Develop a spreadsheet for each asset, listing the STRIDE categories on the X axis. On the Y axis, list the data locations identified in Step 2. For each cell, make estimates of the following:

1. the probability of this threat actually being carried out against this asset at the location in question
2. the impact that a successful exploitation of a weakness would have on the organization

Use a 1-10 scale for each of the above (e.g., 1 is "not very likely" or "this would not have a large impact;" 10 is "quite probable" or "catastrophic"). Then multiply those two numbers together and fill them into the cells. The spreadsheet should be populated with numbers from 1 to 100. This activity will likely take a full day for smaller organizations and several days for larger ones.

5. Finalize data and start planning. Multiply all the cells in each of the worksheets by the classification rating assigned to the asset in Step 3. The result is a rational and comprehensive ranking of threats to the organization. It includes both the importance of the assets at stake and a broad spectrum of possible contingencies. A reasonable