5 Steps to Creating a Cybersecurity Risk Assessment
Many financial institutions are faced with managing and maintaining information security risk assessments, including the need to integrate cybersecurity threats. In general, financial institutions should review their existing risk assessment program with cybersecurity threats. However, if it’s easier to have a separate program, management should consider its options.
We recommend developing a five-step plan to help establish a foundation for a meaningful risk assessment program:
- Identify information assets
Consider the primary types of information handled, e.g., Social Security numbers, account numbers or human resource data, and make a priority list of what needs to be protected. To properly identify assets, include personnel from various departments.
- Locate information assets
Identify and list where each item on the information asset list resides within the organization, e.g., file servers, workstations, laptops, removable media or smartphones.
- Classify information assets
Assign a rating to your information asset list. Consider a scale of 1 to 5, with the following categories:
- Public information
- Internal but not protected data
- Sensitive internal information
- Classified internal information
- Regulated information
- Conduct a threat modeling exercise
Rate the threats facing critical information assets. Many different methodologies are available (potential fodder for a separate article). In any case, use a scaling system to rate each identified threat, considering probability and impact.
- Finalize the risk assessment and start planning
Calculate the threat scores using a scoring threshold and establish ranges and review the results.
The goal of the risk assessment exercise is to establish a risk assessment program to enhance your information security program. If you need help with the risk assessment process, please contact us.