Vulnerability x Threat = Risk

In order to understand risk, we must first understand the definition of threat and vulnerability. A business risk results from significant conditions, events, circumstances, actions, or inactions that could adversely affect your company’s ability to achieve its objectives and execute strategies. Risk is a condition that results when vulnerabilities and threats act upon critical assets.

In information security, we like to use the formula “Vulnerability x Threat = Risk” to demonstrate this. So, what is threat and vulnerability?

What is Threat?

A threat is a potential event that could take advantage of your protected asset’s flaws and result in the loss of your security’s confidentiality, integrity, and/or availability (C-I-A). Threats result in non-desirable performance of critical assets. There’s always a potential flaw that could be exposed, and when a threat is identified, think about the way it could affect the pillars of security: integrity, availability, and confidentiality.

Think about this scenario: Your organization is storing a box of hard-copy, paper patient records. The sprinklers in your building go off, and the records are soaked. You have to hire a company to come in and dry out the records and restore them to a readable state. What security losses have you had? Availability, but also the loss of integrity because the data is lost. It hasn’t been stolen, so there’s no loss of confidentiality, but the data is not usable because of water damage. We can’t have the full pillars of security if we can’t use the asset for the purpose it was intended.

Next, let’s think about the three types of threats:

  • What are the natural threats? This could be anything like floods, earthquakes, or hurricanes.
  • What are man-made threats to the assets we’re trying to protect? Man-made threats are categorized as intentional, deliberate, or accidental.
  • What about environmental threats? Could your asset be affected by environmental threat such as power failure, pollution, chemical damage, or water damage?

What is Vulnerability?

A vulnerability is a known or unknown flaw or weakness in an asset that could result in the loss of the asset’s integrity, availability, and/or confidentiality. An internal vulnerability could be a lack of security awareness training or no documentation for a critical process. Let’s go back to our paper records scenario. The flaws would be the fact that the print can fade over time, so it could be unusable in the future, or the fact that it has a finite location, so if it’s ever lost, that information is gone.

Threat identification and vulnerability identification are both part integral parts of a risk assessment. Once you’ve identified your threats and vulnerabilities, you’ll be able to determine how to mitigate the negative impact of potential threats and vulnerabilities. Controls that you put into place should be based on an assessment of risk. For more details on how to complete a formally documented risk assessment, download our free Risk Assessment Guide.

What is threat? A threat is a potential source to exercise, accidentally or intentionally, a specific vulnerability. What is a vulnerability? A vulnerability is a flaw or weakness in the system security procedures, design, implementation, or other controls that could be accidentally or intentionally exploited.

As cyber threats continue to be a major concern for business owners, not having a cybersecurity strategy in place is no longer an option. You must be prepared to defend your business from cyber threats and be proactive with your cybersecurity prevention strategies. Here are 5 easy ways to defend your business from cyber threats.

1. Know Your Risks

As auditors, we frequently talk about risk assessment and risk management strategies as the foundation of any information security and cybersecurity program. By performing a formal risk assessment, your organization can gain a clear picture of where your assets lie, and what internal and external vulnerabilities exist. Keeping an awareness of the threat landscape and the cybersecurity threats that exist can help defend your business from cyber threats.

2. Promote a Culture of Cybersecurity

The workforce is any organization’s critical line of defense, and with the threat landscape rapidly changing, it’s important to keep employees on their toes at all times. Creating a culture of cybersecurity can help encourage employees to be aware of cyber threats and help to educate the workforce on recognizing and preventing cyber threats from occurring.

3. Ensure Hardening Standards

Implementing hardening standards is an important step to defend your business from cyber threats. System and network hardening, also known as “defense in depth,” is a great approach to eliminating the potential of a cyberattack by creating multiple layers of protection. A strong perimeter firewall, anti-virus, strong passwords, IDS, and physical access controls are all examples of hardening techniques. Using these controls in combination can help to defend your business from cyber threats.

4. Encrypt Everything

Strong encryption is an easy way to defend your business from cyber threats as it helps to protect sensitive data that you don’t want to end up in the wrong hands. Encryption can allow sensitive data (from credit card numbers, health information, or any other personally identifiable information) to transfer across networks without being compromised or accessed without being authorized.

5. Update Your Software

As many organizations have learned the hard way over the last couple of years, leaving critical updates to software and operating systems unpatched could lead to serious vulnerabilities waiting to be exploited by a malicious attacker. Best practices state that patches that are released as critical should be implemented within 30 days of release.

Don’t wait until you’re under attack from a cyber threat before you start having the conversation of cybersecurity at your organization. Take steps now to defend your business from cyber threats. For more information or help with ramping up your cyber security program, contact us today.

GDR Successfully Completes SOC 1 Type II and SOC 2 Type II Review of Internal Controls and Processes; Continues to Exceed Industry Standards

New York, NY – Global Debt Registry (GDR), the asset certainty company known for its loan validation expertise, today announced the successful completion of its SOC 1 Type II and SOC 2 Type II attestation reports. Performed by KirkpatrickPrice, the independent audit confirms GDR’s internal security controls meet the American Institute of Certified Public Accountants’ (AICPA) applicable Trust Services Principles and Criteria. These latest verifications reaffirm GDR’s position as a leader in the online lending space for security and operational integrity in providing asset certainty and validation through its suite of digital due diligence solutions.

The SOC 1 Type II audit assessed GDR’s consistent application of internal controls and processes to protect consumer data, maintain operational integrity and comply with industry regulations over a six-month period. The SOC 2 Type II review compared the strength of those internal policies and controls with the AICPA’s own Trust Services Principles of security, availability, confidentiality and processing integrity. The SOC 2 Type II attestation provides a comprehensive and integrated assessment of an organization’s data security and integrity control framework to industry stakeholders — and is missing from organizations which choose to obtain a SOC 1 Type II exclusively and point to their cloud provider’s or vendors’ SOC 2 Type II attestation reports.

The successful completion of these verifications demonstrates GDR’s continued commitment to achieving the highest standards of data security and integrity in the industry, providing GDR’s clients with greater confidence that their confidential information is receiving the most robust levels of security.

“We are single-minded in our focus to create the safest and most secure data environment for our clients,” said Charlie Moore, President, GDR. “With this latest round of SOC attestations, we are reaffirming our role as a trusted partner in the online lending market with the most comprehensive data and information protection achievable. We encourage the broader lending industry to join us in adopting the SOC 2 Type II certification beyond just their outsourced data centers, but for their overall business.”

With its suite of online lending verification tools, GDR helps online lenders, investors, and warehouse lenders protect against loan data integrity issues and mis-pledging of assets. Earlier this year, GDR announced its compliance with SOC 1 Type I and SOC 2 Type I. The Company is also compliant with additional industry standards such as PCI DSS (Payment Card Industry Data Security Standard), the GLBA (Gramm Leach Bliley Act) Safeguards Rule, and ISO 27002 (International Organization for Standardization 27002).

GDR engaged KirkpatrickPrice, a licensed CPA and PCI QSA firm, to perform this latest round of SOC audits and compliance testing of GDR’s internal administrative, physical, and technical controls and processes that relate to client’s financial statements and affect security, availability, processing integrity, and confidentiality.

About Global Debt Registry (GDR)

GDR is a Private Equity backed FinTech company that provides asset certainty for institutional investors and warehouse lenders in the online lending market. GDR ensures that the data underlying the loans is real and accurate by validating loan information against trusted third-party data sources.  GDR’s tools help both investors and warehouse lenders better manage risks associated with online consumer loans and enable online lenders to attract more permanent capital. The Company is backed by a $5 Billion private equity firm and is led by a team of senior executives from Thomson Reuters, Credit Suisse, Bank of America and Barclays. Further information can be found at www.globaldebtregistry.com.

Media Contact

Kristina Pereira Tully

Caliber Corporate Advisers

kristina@calibercorporate.com

888.550.6385 ext.5

Why is Risk Management Important to Business?

Humans are constantly considering risk, even when we don’t realize it. Risk management is our response to the possibility of suffering harm or something going wrong…and things go wrong all the time! Car accidents, stolen wallets, unexpected bad weather, burnt dinners. The list could go on and on. We are programmed to manage risk. So, how does risk management translate into business?

We believe that the success and operability of your organization depends on how well you manage your unique risks. Risk management is critical to your organization. Risk management is the process of identifying, assessing, mitigating, and controlling threats to an organization. These threats could stem from financial uncertainty, legal liabilities, management, accidents, or natural disasters. Because of the growing information security-related threats, companies’ risk management programs are under intense scrutiny from industry and governing bodies. Protecting digital assets like protected health information, cardholder data, personally identifiable information, intellectual property, or financial statements is a top priority.

What Should My Risk Management Program Look Like?

Risk management programs consist of performing risk analyses, conducting risk assessments, documenting policies and procedures, building an internal audit program, and creating an actionable risk management plan. All of these elements create a strategy for mitigating your organization’s unique risk.

  • A risk analysis identifies the threats and analyzes the vulnerabilities of an organization. This is a very factual process that includes asset characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, control remediation, and results documentation. At the end of a risk analysis, you want to have a list of what critical assets you’re trying to protect, the risks your organization is facing, and what your organization is doing to limit vulnerabilities.
  • A risk assessment is a systematic process for evaluating existing controls and assessing their adequacy against the potential operational, reputational, and compliance threats identified in a risk analysis. A risk assessment should include: conducting a risk assessment survey, identifying risks, assessing the importance and likelihood of risk, creating a risk management plan, and then implementing that plan.
  • Your risk management plan means nothing if it isn’t documented in your policies and procedures. We strongly believe that if something is not written down, it’s not happening. These policies and procedures should define how you mitigate identified risks, and then be effectively communicated to all employees.
  • According to the Institute of Internal Auditors, “the role of internal audit is to provide independent assurance that an organization’s risk management, governance, and internal control processes are operating effectively.” An internal audit is conducted objectively and designed to improve and mature an organization’s business practices. An internal audit program provides objective insight into an organization’s culture, policies, procedures, improves efficiency of operations, evaluates risk and protects assets, assesses controls, and ensures relevant regulatory compliance.

Still have questions about risk management? For more information on KirkpatrickPrice’s risk assessment services and how we can help, contact us using the form below.

More Risk Management Resources 

Risk Management 101 Webinar Series 

5 Important Risk Management Best Practices 

The First Step in Vendor Compliance Management: Risk Assessments 

Today, I’m asked to talk about risk and risk management a little bit and to provide some useful, helpful tips on risk. Many times, people’s eyes glaze over when you say “risk management” and they’re wondering why in the world we would want to talk about risk. Let me tell you: risk is your best friend because you’re doing it all the time, whether you know it or not.

Risk, by definition, is the response to possibly suffering harm or loss or something that can go wrong. Take for instance, you’re doing risk management. My example is the thing that wakes you up in the middle of the night that’s not your dog that has to go out or your significant other that really wants to talk to you, but it’s something that bothers you at work. You know that. It’s something that comes out of the back of your mind, often between the hours of one and three in the morning.

With the compliance landscape rapidly changing, it’s important to stay up-to-date with current standards to gain trust and respect from your clients. If you’ve been considering getting a SOC 1 audit, but keep putting it off, what are you waiting for? Here are three reasons to stop hesitating and start your SOC 1 audit today.

1. Gain a Competitive Advantage

Completing a SOC 1 audit allows you to pursue clients that require a SOC 1 report to meet their own regulatory requirements. They simply can’t afford to work with an at-risk vendor. It also tells clients that you are serious about the controls and security at your organization. Engaging in a SOC 1 audit demonstrates that you have taken initiative by hiring a third party to conduct the audit and, in turn, formalize your audit process.

2. Mature Your Environment

By completing a SOC 1 audit, your organization will be ahead of the curve in maturing your security and business practices. Management should choose to test your employees and get outside services to help your business processes mature. A review of your controls by an independent auditor can help to point out things you may have missed during your own assessment of risk. Catching these inefficiencies can help your organization stay secure and up to date on security and compliance best practices and can protect you from a loss of business or operability.

3. Save Time and Money

By being proactive about the security of your organization, you will save your organization time and money by reducing the burden of questionnaires and site visits from your clients’ auditors. If you don’t already have a current report, you could face multiple clients’ auditors individually and continue to repeat the process, over and over. By completing a SOC 1 audit, you’ll have a verified report that meets the requirements of each of your clients.

Don’t hesitate to begin your SOC 1 audit. For more information on whether or not a SOC 1 is right for your business, contact us today or click here to learn how you can prepare for your SOC 1 audit.