NIS2: Perform a risk assessment

This is the fourth article from the series How-To: NIS2 EU Directive .

One essential step in safeguarding an organization’s sensitive information is to perform a cybersecurity risk assessment.

This assessment is particularly crucial when the goal is to implement an Information Security Management System (ISMS).

In this article, we will delve into the importance of risk management and risk assessment in the context of cybersecurity, while providing a step-by-step guide on how to conduct a thorough cybersecurity risk assessment within the cybersecurity framework of an ISMS.

 

Understanding Risk Management and Risk Assessment

Before we dive into the process of conducting a cybersecurity risk assessment, it is vital to grasp the fundamental concepts of risk management and risk assessment.

Risk Management: Risk management is a systematic approach to identifying, assessing, and mitigating risks to an organization’s information assets. It involves a cycle of processes that help businesses make informed decisions to protect their data, reputation, and operations. The ultimate goal is to minimize the potential impact of security incidents and threats.

Risk Assessment: Risk assessment is a crucial component of risk management. It involves identifying potential risks, analyzing their potential impact, and evaluating the likelihood of their occurrence. A thorough risk assessment helps organizations prioritize and allocate resources effectively to protect against vulnerabilities.

 

Step-by-Step Guide to Performing a Cybersecurity Risk Assessment

 

Define the Scope

Start by clearly defining the scope of your risk assessment. This can be focused on achieving a certification like ISO 27001, TISAX, ISO 21434, or simply improving the security of the company.

Ask these questions:

Are you

  • conducting the assessment to achieve compliance with a specific cybersecurity framework (e.g., ISO 27001) ?
  • trying to protect a particular set of critical assets ?
  • trying to identify vulnerabilities in a specific system or process?

Identify Assets and Threats and categorize them

List all the digital (software, IP, processes, libraries, licenses, data in various systems, etc.) and physical assets (hardware, components, buildings, personnel, suppliers, etc.) that need protection, from data and software to hardware and personnel.

Then, identify potential threats such as malware, social engineering, out of business, theft, but also natural disasters that could jeopardize these assets.

Categorize them based on their criticality to your business operations and the level of protection they require. Assign a value to each asset, factoring in its importance to your organization.

Hint: if it is hard to identify potential threats, then use an external source:

  • Threat Intelligence: Stay updated with current threat intelligence to understand emerging threats and vulnerabilities relevant to your industry.

 

Assess Vulnerabilities

Evaluate the vulnerabilities within your organization. Vulnerabilities are weaknesses in your security measures that can be exploited by threats. These may include outdated software, weak passwords, or inadequate access controls.

  • Utilize automated vulnerability scanning tools: There are numerous vulnerability scanning tools available that can automatically identify known vulnerabilities in your systems. Tools like Nessus, Qualys, and OpenVAS can scan your network and provide reports on identified vulnerabilities.
  • Schedule regular scans: Perform scans on a regular basis to stay up-to-date with new vulnerabilities and changes in your infrastructure.
  • Perform Penetration Testing:  Penetration testing, often performed by ethical hackers, involves simulating real-world attacks to identify vulnerabilities that automated scans might miss. Penetration testers attempt to exploit weaknesses in your systems to assess their security.
  • External and internal testing: Conduct both external and internal penetration tests to evaluate your network from both an external attacker’s and an insider’s perspective.
  • Perform Code Review: Review application code: For custom software and web applications, perform code reviews to identify vulnerabilities within the code itself. This can help uncover issues that automated scans may not detect.
  • Perform Configuration Audits: Regularly audit system configurations: Misconfigurations are common sources of vulnerabilities. Regularly audit and review the configurations of your systems and applications to ensure they align with security best practices.
  • Perform Patch Management: Keep software and systems up to date: Vulnerabilities often have associated patches or updates. Establish a patch management process to ensure that all software, including the operating systems and applications, is regularly updated to address known vulnerabilities.
  • Perform Physical Security Assessment: Evaluate physical security: Don’t overlook the importance of physical security. Assess the physical security of data centers, server rooms, and facilities to prevent unauthorized access to critical infrastructure.

 

Determine the Impact

Impact is defined as the negative effect that may result in the threat occurrence.

Assess the potential impact of each threat on your assets and operations.

Consider factors like

  • financial loss;
  • reputational damage;
  • operational disruption;
  • information / knowledge is lost;
  • third parties could have access to Information / knowledge;
  • the information has been manipulated or is incomplete;
  • the information / knowledge or person is not available;
  • the legitimacy of the information source is questionable.
Impact Description
Catastrophic The threat event could be expected to have multiple severe or catastrophic adverse effects on organizational operations, organizational assets, individuals, other organizations.
Critical The threat event could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations.
Serious The threat event could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals other organizations.
Significant The threat event could be expected to have a significant but limited adverse effect on organizational operations, organizational assets, individuals other organizations.
Minor The threat event could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals, other organizations.

Calculate Risk

Calculate the risk associated with each threat by combining the likelihood of the threat occurring and its potential impact. You can use quantitative or qualitative methods, depending on your resources and the framework you’re following.

Level Description
Very Low It has a very low impact on the business operations. Doesn’t require action.
Low Minor business effects. Doesn’t require immediate action.
Medium Some negative business impacts would take place. Such risks are considered acceptable. Actions could be taken but they are not considered necessary.
High It has negative effects on the business operations. It must be considered for treatment to reduce probability.
Very High Serious to catastrophic negative business impacts would take place. These risks must be reduced or handled in such a way that will turn them into acceptable.

 

Prioritize Risks

Based on your risk calculations, prioritize the identified risks. Focus on the most critical ones that pose the greatest threat to your organization.

Consider in the prioritization also the effort and cost needed to implement the control to mitigate the risks.

 

Implement Controls

Develop and implement security controls to mitigate the identified risks. Controls can include firewalls, encryption, access management, and employee training. Make sure these controls align with the chosen cybersecurity framework and ISMS requirements.

 

Monitor and Review

Regularly monitor the effectiveness of the controls and review the risk assessment. Cybersecurity threats are continually evolving, so it’s essential to keep your risk assessment up to date.

 

Document

Document the entire risk assessment process, including your findings, controls, and any changes made. Proper documentation is crucial for compliance and continuous improvement.

 

 

ISO 27002:2022 must be consulted when judging the risks and the weakness or strength of controls.


© Copyright 2023 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch

Related Posts

Speaking at the Virus Bulletin Conference 2020: ‘One year later: Challenges for young anti-malware products today’

Source: https://vblocalhost.com/presentations/one-year-later-challenges-for-young-anti-malware-products-today/ A year ago, at VB2019 we presented for the first time an overview of how the anti-malware world looks from the perspective of a young company trying to enter the market: how they try to build products, how they try to enter the market, how they try to convert users, and what challenges […]

Project Honeypot – 1 Billion Spammers Served and more…

Project Honeypot published this nice article which contains all kind of data and graphics here: 1 Billion Spammers Served All nice and shiny, but I have a problem with this graphic: Notice that PayPal is about 1% … Our data, gathered by the URLCheck service, gives us completely different numbers: So, don’t believe everything what […]

Discover more from Sorin Mustaca on Cybersecurity

Subscribe now to keep reading and get access to the full archive.

Continue reading