How do you conduct your IT risk assessments?
In a recent ControlScan customer survey, we asked IT leaders about risk assessments. Specifically, we wanted to know how often businesses are conducting them, as well as if they are doing so formally by using an external resource.
Here’s what we found (click image to enlarge):
So, while 80% of the IT leaders we surveyed are regularly conducting risk assessments, 40% of them are doing it without the many benefits of a third-party resource.
That means those who conduct their own risk assessments are:
- Reviewing critical assets and functional areas to identify threats and vulnerabilities that may impact their confidentiality, integrity or availability;
- Investigating their organization’s processes and procedures, according to feedback from individual business owners;
- Assessing the effectiveness of in-place technical, physical and administrative controls including implementation of security solutions, separation of duties, and password policies;
- Analyzing the likelihood of incident occurrence and determining composite risk levels of each functional area; and
- Fully documenting and discussing all findings, conclusions and recommendations with executive leadership so they can quickly be put into practice.
Without the eyes of an independent third party, what mechanism do you have to ensure that these elements are being performed?
When assessing your organization’s risk, don’t forget the pen test.
Penetration tests (also known as “pen tests”) are a critical component of the security risk assessment process, especially for those organizations conducting their own assessments.
Penetration testing goes much further than vulnerability scanning, because it goes beyond the automated process of looking for basic vulnerabilities. After using a discovery scan to map out your network, a highly trained engineer plans and executes attacks as if they were a hacker or a malicious insider.
One of the added benefits is their planning work confirms that the network is set up as it was outlined. Any deviations that are found can be communicated immediately. Any critical vulnerabilities found would necessitate that the test be stopped right away, and the client contacted.
Even if you have great security defenses in place, it is important to have a third party perform regular penetration tests against your IT network. Otherwise, what independent means do you have to prove the strength of those defenses?