Cybersecurity Risk Assessment

Episode #46

Cybersecurity Risk Assessment

Risk assessment is not necessarily scanning your network aimlessly; what should you expect from your team? First and foremost, adopt a risk assessment framework; it will be a helpful guide for determining what is assessed, who needs to be involved, and the criteria for developing risk criteria. 

Some of the frameworks you should consider are:
OCTAVE from Carnegie Mellon University
NIST 800-30 Guide for Conducting Risk Assessments
ISO 27005:2011 or the latest version

Identifying vulnerabilities in your organization is a fundamental first step of this process. It aligns with the NIST CSF subcategory ID.RA-1 Asset vulnerabilities are identified and documented. Also, ensure that you have qualified staff managing, operating, and overseeing the vulnerability management program trained in all the automated tools and methodologies to identify vulnerabilities. 

The next step will be for your team to identify the threats to your organization, both internal and external. This activity aligns with NIST CSF ID.RA-3 “Threats, both internal and external, are identified and documented.” Your team won’t be able to protect the organization against every threat, so identifying the most critical threats against your organization is crucial for your cybersecurity strategy.

Remember, you may find vulnerabilities without an active or published exploit; therefore, it is up to you and your team to prioritize accordingly, which takes to NIST CSF ID.RA-5 “Threats, vulnerabilities, likelyhoods, and impacts are used to determine risk.” Now that you know the vulnerabilities and threats you face and the likelihood, focus on the vulnerabilities with the highest risk to your critical cyber assets. 

*** FREE GUIDE ***


Dr. Bill Souza
CEO | Founder