The Top 3 Issues With Your Risk Assessment: Auditor Insight Webinar Recap

The power of a risk assessment isn’t just identifying risks: it’s creating a culture of security.

The risk assessment process is often viewed as a necessary evil for compliance and is commonly seen as inconvenient and unimportant. However, after over 20 years in the information security space, Shannon Lane views risk assessment as the most powerful tool in directing an organization, budget maintenance, and project management.

In his presentation, Shannon shared where most companies go wrong with their risk assessments and how they can better leverage the opportunity to build their company’s consensus and morale around the subject of cybersecurity compliance.

In this blog, we have highlighted what you need to know to conduct an effective risk assessment, including the top three reasons risk assessments fail, so you can make sure your organization is making the most out of your risk assessment process. You can find the slides to the webinar presentation below:

Do as the Romans Do

An ancient metaphor helps us understand the role risk assessment plays in your business.

Rome was a nation of organization and innovation, and change was an integral part of their culture.  It was seen as so significant that the idea that things never stay the same was even given a god, Janus, the god of beginnings.  He has two faces; one is looking forward to the decisions being made and the other is looking back over the decisions of the past.

Like Janus, businesses are divided into two prongs: Visionaries and Guardians.  Visionaries are CEOs, CTOs, CIOs, and are supported by sales and marketing.  Their goal is to move the company forward and figure out what is next. 

Guardians are CFOs, CISOs, COOs, and are supported by HR, IT, finance, and operations. They protect the march.  They ensure the company is well equipped to meet its goals and that everything is working as intended.

The risk assessment process is designed to bring these two groups together so they understand and support each other.

A really good risk assessment will do the following:

  • Establish a common language to discuss and compare threats to an organization
  • Assist in setting objectives, milestones, and tasks
  • Lead to a deep understanding of the company operating environment
  • Help establish the “Why” of things
  • Show how departments, working groups, and teams are interrelated, and how their activities affect the organization
  • Define the road being travelled, while including the vision of where that road leads.

Preparation is the key element of a risk assessment.

“Expect everything, I always say, and the unexpected never happens.”

Norton Juster, The Phantom Tollbooth

Risk brings all of the voices of your organization together. It helps you to figure out what to expect, how often to expect it, and whether that is good or bad for your organization.

Just like a Roman campaign, we wouldn’t embark on a journey without planning.  We need direction, equipment, planning, and contingency planning.  Risk assessment is the key business activity used to ensure we are ready for the journey, we understand the trail, and we’re ready to face the journey ahead.

Every framework agrees risk assessment is key.

Risk assessment is so fundamental to the information security and governance process that every major framework requires a risk assessment.

Despite risk assessments being a critical part of an audit, not having a risk assessment (or a quality one) is normally one of the biggest findings for a new audit client.

Three Reasons Risk Assessments Fail

  1. Sword points
    • Sword points are the required compliance activities that lead to grudging and resentful attitudes toward compliance.
    • Completing risk activities just because they are “necessary” leads to careless action.
    • Considered activity leads to real understanding.
  2. Doing things halfway
    • Risk must be approached holistically; it is so much more than technology. Every role and department faces threats that are a risk to your business. What are you doing about that?
    • If you only do half a risk assessment, you aren’t actually preparing yourself for the future.
  3. Lack of a lexicon
    • Does your organization understand the vocabulary used in your risk assessment? Does everyone understand the labels of risk (i.e., does everyone understand what high impact means)?
    • Think of the color green.  Green can be several things: olive green, grass, lime, the sea.  Without a common definition, we will all interpret things differently and that is a risk in and of itself.

So, how do we take these faults and actually perform an effective risk assessment? There are four steps:

Step 1: CommitmentEveryone in management must be committed, and all departments must be involved. Expressing your commitment to understanding and managing risk speaks volumes to your company’s security culture and establishes the importance of the process.
Step 2: CohesivenessUse a risk framework and establish your risk vocabulary.   This will align your team and create a unified experience. It teaches the whole organization what risks are important and why.
Step 3:
Cyclical Engagement		This is a living document. Update it throughout the year as risks are identified. Review it every year. Use it to track progress. Use it to justify budgets.
Step 4:
Check In & Celebrate		Check in throughout the year and celebrate successes. Call out milestones that are hit. This sets up a culture that calls out risk and prioritizes security. This is where a security culture begins.

Establishing and prioritizing your risk assessment does far more than produce a list of risks. It drives inclusivity so everyone understands what each department is doing and why it matters. It drives budgets by showing what is needed and giving easy justification for spending.

But most importantly, it creates a security culture that teaches your organization to value and prioritize risk.

Improve Your Risk Assessment Process with KirkpatrickPrice

Are you unsure if your risk management procedures are effective enough to protect your organization?

Connect with one of our risk assessment experts today so we can help you mitigate risk within your organization.  KirkpatrickPrice offers free risk assessment reviews and will connect you to an expert who cares about your security and compliance goals.

To continue learning about risk assessments, watch the entire webinar where Shannon goes deeper into the qualities your risk assessment needs to be effective by answering the questions submitted in the Q & A portion of the webinar. Shannon answered questions like:

  • How do I get my C-Suite on board with this process?
  • Who should control this exercise?
  • Who needs to be included in my risk assessment process?
  • Where should I start if my organization has never done a risk assessment?
  • And more!

Assess your risk and become unstoppable.

About The Webinar Host: Shannon Lane

Shannon Lane has over 20 years of experience in information services, including healthcare IT,
e-commerce data extrapolation, network administration, database administration, and external audit work. He now serves on the frontlines of cybersecurity audit as a Lead Practitioner at KirkpatrickPrice. He holds the CISSP, CISA, QSA, and CCSFP certifications.

Common Criteria 3.1

During a SOC 2 audit, auditors will validate that organizations comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. When an auditor is assessing an organization’s compliance with common criteria 3.1, which states, “The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives,” they will want to see that the entity not only conducts but uses their risk assessment. Let’s take a look at how organizations can go about using their risk assessment and why it’s so important.

The Importance of a Risk Assessment

Conducting a risk assessment is a proactive way that organizations can identify and assess organizational risk. However, another key element of a risk assessment is using the findings to prioritize the risks to the organization’s business continuity, reputation, financial health, and more. How can an organization’s management utilize their risk assessment? They can do so in a few ways, including:

  1. Managing day-to-day activities: Having a prioritized list of risks to an organization allows an entity’s management to have a better understanding of which risk needs more attention and how they can execute a plan of action to mitigate those risks during their day-to-day activities.
  2. Budgeting: When leadership understands where the organization’s risks lie, they will have more insight into how they need to budget and allocate funds to alleviate risks.
  3. Mitigating: Once management understands which risks are more important and they have allocated the necessary funds, they can begin mitigating the risks identified during the risk assessment.
  4. Monitoring: By conducting risk assessments on a regular basis, entities will be able to use their findings, compare them to past assessments, and monitor their progress.

Without conducting risk assessments on a regular basis, organizations will be unable to risk-rank threats to their organization, mitigate those risks efficiently, and ensure that their business objectives are met. For SOC 2 compliance, it’s absolutely necessary for organizations to perform risk assessments and demonstrate that they use their findings in a way that helps them meet their objectives.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

While having a risk assessment is an important requirement for your SOC 2 compliance efforts, I also want to point out how important it is to utilize it on a day-to-day basis within your organization. The assessment of risk is something that you can use to manage your activities on an ongoing basis. For example, if you don’t know what your level of risk is on any particular day, you may not know what priority to place on certain activities. For example, in your budget, using your risk assessment is a way to allocate dollars to the areas that bring the best bang for the buck to make sure that you’re spending dollars in areas where you have the highest risks. Just make sure that you leverage your risk assessment and use it in the way that it is intended.

[/av_toggle]

[/av_toggle_container]

Common Criteria 3.1

When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.1 (CC3.1) states, “The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.” Why is common criteria 3.1 so critical for SOC 2 compliance? Let’s discuss.

Conducting a Risk Assessment

During a SOC 2 audit, your auditor will want you to conduct a risk assessment, especially if you haven’t done one in the last year. Conducting a risk assessment is especially critical to SOC 2 compliance because it allows an organization to determine the controls that will be evaluated during the SOC 2 audit. It also allows organizations to identify the different types of risks that they might face.

Types of Risks

Understanding the types of risks that your organization faces is critical in maintaining a strong security posture, avoiding fines and penalties, and safeguarding an organization’s reputation. It’s imperative that an organization’s leadership recognizes that there are risks that go beyond the threats to your information security systems. An organization must consider financial risks, market risks, operational risks, and risks associated with non-compliance with laws and regulations. During the SOC 2 audit process, the auditor will want to see that an organization has been thorough enough when performing their risk assessment. Have they considered various types of risks? Are the controls that are in place able to mitigate different types of risks? If an organization fails to recognize the different types of risk that the organization faces, the organization would be unable to achieve their business objectives.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

The risk assessment requirement in common criteria 3.1 (CC3.1) is a very important element of the SOC 2 Trust Services Criteria. Whenever we bring up doing a risk assessment to people who maybe haven’t done one recently and they ask, “Do we really have to do this?” We say they do. We want you to do a risk assessment if you haven’t done one in the last year at least. A risk assessment is so critical to being SOC 2 compliant, because that’s really the basis on which you select the controls that are going to be audited in the engagement. We’re going to ask you: what are you trying to deal with by putting these controls in place? Have you been broad enough in the risks you’ve considered? Risk is not only IT; risk is not just information security. There are financial risks, market risks, operational risks, and risks that come from the non-compliance with laws and regulations. You really have to be very broad in your thinking and look for the risks that would cause your organization to not achieve the objectives that you have set out to achieve.

[/av_toggle]

[/av_toggle_container]

Using a Risk Assessment to Report Consumer Risk

Because there are so many different laws that regulate how and when an organization must give notice if it has had a data security breach, understanding what the correct plan of action is for your organization or determining how to report consumer risk from breaches might be daunting. Nevertheless, the laws do have one major commonality: does the consumer suffer a significant risk of harm? Consider a Social Security number; if someone’s SSN was compromised, they’re at risk for true-name and account-takeover identity theft. This would be a significant risk of harm to that consumer. Or, for instance, let’s examine a patient whose medical records were compromised. What is the probability that patient would suffer some kind of embarrassment or identify left? The level of risk of harm may change based on the type of medical records, like a compromise of an HIV status versus dental records.

If an organization believes that a data security breach has occurred, they should try to remediate the problem at hand as soon as possible and report consumer risk. Conducting a risk assessment is a useful methodology used to identify, assess, and prioritize organizational risk and thus allows organizations to implement a plan of action quickly and efficiently. Risk assessments can be used for a variety of reasons such as locating gaps in security, understanding risks, evaluating how breaches occur, and remediating gaps and/or breaches.

Risk assessments also allow organizations to determine what the level of risk is relative to the final consumer – is it a significant or low risk? It’s also important to keep in mind the subjective nature of risk. We often use the example of a worn tire to better understand. When we just consider the tire, we can conclude that it is worn-out and in bad shape, and there is significant risk. However, when you picture the tire connected to a tire swing rather than on your car, the subjective nature changes and the tire is no longer a significant risk. This combination of factors is important to consider when you see an asset and then analyze how it is used. What if the rope holding the tire swing was frayed? Would that alter your opinion of the nature of risk? What if we implement a control here and position a group of people holding a rescue trampoline under the person on the tire swing with the frayed rope? Have we appropriately reduced the risk? Let’s complicate it more. Now, the rescue team with the trampoline is standing at the edge of a canyon. Does this change our opinion of significant risk once again?

When conducting a risk assessment, an organization needs to evaluate a wide range of factors with varying degrees of influence on the level of risk. You need all types of information about the data you’re trying to protect. Who has access to the data? What type of information was breached? How does it impact the consumer?

To learn more about how to use a risk assessment to report consumer risk, follow @BenjaminWright on Twitter. For more information about planning, conducting, and using a risk assessment, contact us today!

The many different laws that require an organization to give notice if it’s had a data security breach are complex – they don’t all say the same thing. A common topic in these laws is whether the ultimate consumer suffers some significant risk of harm. So, the consumer would be the holder of a credit card or the person whose Social Security number had been compromised. If an organization sees that it may have an incident that might be a security breach, oftentimes the organization is wise to conduct a risk assessment.

A risk assessment evaluates exactly what happened and what the risk of harm is – whether it’s a significant risk or a low risk – relative to the final consumer. Significant risk of harm is a subjective idea and, therefore, if the organization is conducting a risk assessment, it has to evaluate a wide range of factors that might be rather subjective. For example, what’s the possibility that the patient would actually suffer some kind of embarrassment or suffer some kind of identity theft if her medical record was compromised?

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.

The end of the year is rapidly approaching, and so is the deadline for those completing a Q4 audit! It’s not hard to imagine what Santa and his Elves feel like as they rush around to get everything in order and ready for their big day.

Just as the Elves help Santa to ensure everything gets done in time, our auditors are committed to helping you make sure you have everything in place working effectively to successfully complete your audit on schedule. Here are 6 tips on how to pass an audit in time for year-end.

How to Pass an Audit in Q4

To better prepare for your upcoming audit, here are six tips that companies across all industries can find helpful:

1. Perform a Risk Assessment

Risk Assessment. Risk Assessment. Risk Assessment.

It always starts with a Risk Assessment. What better way to identify your assets and prioritize your unique risks than by performing a regular risk assessment? Not sure if you have all of the necessary controls in place to properly protect your assets and mitigate risks? Don’t worry – your annual risk assessment will help you with that. Not only is a risk assessment mandated by most audit frameworks, but it’s also a critical component of any information security program.

2. Documentation Inventory

Are you maintaining audit logs? Do you have proof of employee acknowledgement of policies and procedures? Are you keeping all necessary records for your auditor to review?

Waiting until the last minute to pull all of your documentation together can make preparing to pass an audit seem much more tedious and stressful than is actually necessary. Veterans of the audit process will highly encourage companies to continuously collect and maintain necessary documentation in order to be prepared year-round for an audit.

3. Policy and Procedure Review

Reviewing your policies and procedures on an annual basis is a good way to ensure that there are not any gaps in your controls and processes. It is also the perfect opportunity to be certain that everything you say you’re doing as an organization is formally documented and communicated to all relevant personnel.

When it comes to compliance, we’ve all heard the adage, “If it’s not written down, it isn’t happening”. This is good advice when it comes to preparing for an audit because your auditor won’t be interested in hearing about your processes, but rather will need to see them documented on paper and see evidence that they are a living a breathing document that continuously changes and matures with your organization’s environment.

4. Employee Training

A strong defense is the best defense. Regularly training your employees on security awareness and the importance of security and compliance can help put your mind at ease when it comes to knowing they are taking the right steps and precautions to protect organizational assets. A culture of security awareness and compliance must start from the upper-management level and trickle down to the employee level in order to make the best impact. Security training programs should educate employees on policies and procedures as well as basic security awareness.

5. Vendor Compliance Management

Are you properly managing your vendors to verify that they are complying with information security and compliance requirements and best practices? Vendors pose a risk to every organization, so it’s imperative that you’re doing your due diligence to mitigate those risks. Do you have all of your documentation of proper vetting prepared and ready for your auditor to review? What is your onboarding process? Off-boarding? Do you have vendors sign a non-disclosure? Learn more vendor management best practices with our vendor compliance assessment.

These are the pieces you’ll want to have together in order to successfully pass your audit in Q4.

6. Work with your Auditor

When it comes to completing an information security or compliance audit, your auditor is your greatest resource and is not to be feared. Work with your auditor to show them you’re committed to the audit and remediation process and improving your environment. If they show you that a control you have in place is insufficient, work with them to make the appropriate changes for follow-up, and most importantly, be honest. A good auditor won’t work with you to simply check a box, they will work with you to ensure that your organization is secure and compliant.

So as you wrap up your Q4 audit this year, remember to not overcomplicate it. Gain audit participation from your entire organization by expressing the importance that security plays in your business operations. Working together with your organization and your auditor can help you achieve greater levels of security and compliance at your organization.