Integrity Blog

Why do I need an IT Risk Assessment?

Some organizations are required by law to conduct a risk assessment; others are bound by compliance or pressured by clients. Even when it isn’t mandatory, many organizations choose to perform a risk assessment for the various benefits it provides. In this article we will talk about why they do perform, and the reasons every organization should consider, a risk assessment.

For starters, an IT risk assessment is a great way to gain a better understanding of an organization’s technology environment. An assessment helps in guiding the establishment of a security plan and creating a roadmap for achieving security goals. If you have been tasked as the information security lead, this is where you should begin.

Conducting an IT risk assessment is a proactive approach to securing your organization. Well-organized assessments utilize a structured framework that helps identify existing controls as well as gaps that have gone unnoticed. Without an assessment, these findings would be left hidden and unaddressed.

The results of the assessment, however, are only the beginning. What an organization does with those results is where they find the value. By evaluating the comprehensive list of risks an organization can determine the biggest threats, prioritize them, and create a plan for mitigation.

It is the IT Directors’ (and others in a similar role) responsibility to identify the risks and present them to the executive team. For it is the execs who are responsible for making the business decision that they believe is best for the organization. IT Directors can provide recommendations and guidance, but the decision to accept, mitigate, or transfer the risk is that of the business and its leaders.

Effectively communicating risks with executives isn’t always an easy task for IT professionals. It is important to arm yourself with results and actionable recommendations prior to communicating concerns. This will help you in your efforts to relay important security information. Providing the management team with a plan that is prioritized and concise may just enable you to get those necessary security resources after all.

It is also important to remember that threats are changing constantly, and a risk assessment is simply the beginning of building an effective IT Risk Management Program. For those of you just dipping your toes into the murky waters of information security, a risk assessment will help you take that leap and dive head first with confidence. Don’t wait until someone else uncovers a vulnerability for you. Be proactive by identifying the risks and allowing it to be the business’ decision on how to deal with them.

Does your organization need security advisement?

Integrity's vCISO Services
Why should I hire a penetration tester and who?

In essence, penetration testers are hackers with a conscience. They are hired by organizations to hack into systems and reveal exploitable vulnerabilities that threaten business operations. Pen testers battle at a computer (sometimes with intel gained from social engineering attacks) and carve through lines of code, web applications, and other business critical systems for hours on end, pivoting from one system to the next until they have either breached the proverbial security wall or confirmed that the organization’s system(s) are securely configured.

So, why would a company hire someone to breach their systems? It sounds counterproductive at first, but the more an organization learns about the attack and the methods used, the more insight it gains into its systems’ weaknesses. If the organization doesn’t discover their weaknesses first, someone else will. And, when that someone else is a competitor, terrorist state, or ne’er-do-well looking to disrupt corporate America, it seldom ends well for the organization.

Finding the right fit

When hiring an ethical hacker, it is best to confirm a few things. For starters, you want to make sure that your hacker is both capable and, of course, ethical. One way to verify this is through certifications. These certifications help to ensure that you are getting the best value for your purchase. Penetration testing can be priceless when you hire the right hackers.

Certified Ethical Hacker (C|EH)
https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/

A Certified Ethical Hacker is a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of ethical hacking from a vendor-neutral perspective.

GIAC Penetration Tester (GPEN)
https://www.giac.org/certification/penetration-tester-gpen

The GPEN certification is for security personnel whose job duties involve assessing target networks and systems to find security vulnerabilities. Certification objectives include penetration-testing methodologies, the legal issues surrounding penetration testing, and properly conducting a penetration test, as well as best practice technical and non-technical techniques specific to conducting a penetration test.

GIAC Web Application Penetration Tester (GWAPT)
https://www.giac.org/certification/web-application-penetration-tester-gwapt

Web applications are one of the most significant points of vulnerability in organizations today. Most organizations have them (both web applications and the vulnerabilities associated with them). Web application holes have resulted in the theft of millions of credit cards, major financial loss, and damaged reputations for hundreds of enterprises. The number of computers compromised by visiting web sites altered by attackers is too high to count. This certification measures and individuals understanding of web application exploits and penetration testing methodology. Check your web applications for holes before the bad guys do.

Penetration testing methodology

Certifications should be accompanied by proper penetration testing methodologies. Verify with your pen testers that they are following a reputable penetration testing methodology framework. At Integrity, we use a methodology framework that is derived from the Open Web Application Security Project (OWASP), Open Source Security Testing Methodology Manual (OSSTMM), and other industry best practices.

Liability insurance

It is also important to understand that penetration testing is an invasive test. In most cases, the penetration tester will not accept responsibility for consequential damages or restoration of services as a result of the testing activity. However, you will want to make sure the hacker is protected with liability insurance. There are some situations where the penetration testing company could be held liable for certain actions if performed negligently. And, if that were to occur, you want to be sure they have the means to right their wrongs.

Finding the right penetration tester doesn't have to be difficult. Integrity can help.

Penetration Testing Services

If your organization uses the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, you are probably already aware that efforts are underway to develop Revision 5. NIST, as always, has solicited and received a substantial number of comments regarding the current document, as well as recommendations for adjusting the document to better suit non-federal entities, including businesses, academia, and state, local and tribal governments. As more and more non-federal entities adopt and use NIST standards, NIST is taking steps to make the controls catalogue more adaptable and usable for a broad array of organizations.

The following information summarizes the expected changes:

  • To be more inclusive, the term “federal” will be removed to the extent possible.
  • The term “information system” will be replaced with just “system” to be more inclusive of various types of systems, such as industrial control systems and Internet of Things.
  • To improve the documents structure, and to make it easier to find and compare controls, both the program management and privacy controls sections will be integrated into the main controls section. This change enhances the relationship between privacy and security controls, and reinforces the importance of overall program management of information security activities within organizations.
  • Priority sequencing codes (i.e., P0, P1, P2, P3) will be removed. Feedback indicated that the intent for these codes was being misinterpreted; however, removing them provides organizations with better flexibility in sequencing the implementation of controls.
  • Keywords and hyperlinks will be integrated to assist users in navigating the document and finding information.
  • Introductory terms within the controls (i.e., “The organization…” and “The information System…”) will be removed to make the controls “outcome-based,” to better align the controls with other NIST guidance, and to remove ambiguity regarding responsibility for implementing the controls.

NIST is planning on releasing the first draft of Revision 5 for public comment at the end of March 2017. If you are interested in additional information from NIST about the expected changes, please visit: http://csrc.nist.gov/publications/drafts/800-53r5/draft_sp800-53-rev5_update-message.pdf

For a copy of the current SP 800-53 Revision 4, as well as other NIST SP 800 series documents, please visit: http://csrc.nist.gov/publications/PubsSPs.html

Get our blog posts delivered to your inbox: