How to do an IT Risk Assessment in 2023

In most financial institution circles, the term IT Risk Assessment brings about strong emotions in people. Fear. Anxiety. Doubt. For years we have been told to do risk assessments, to keep the information up-to-date, and to report the results to management. But nowhere is it made clear exactly how to do an IT risk assessment, or if that is even the same thing as an information security risk assessment. Everyone says we need to manage risk but rarely can anyone tell us how exactly to do that.

If you need to do an IT risk assessment and aren’t sure where to start, or if you have been doing one for years and want to make sure you’re covering all your bases, keep on reading.  Here's what you'll find in this blog. Click a section title below to skip ahead:

1. Risk Management Background
2. The Fundamentals of a Risk Assessment (The actual "how to" part)
3. Advanced IT Risk Assessment Techniques
4. Insider Secrets to Success
5. Download Rivial's Guide to doing IT Risk Assessments
6. Get to know Randy Lindberg

LET’S START AT THE BEGINNING

What is risk management?

Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

What is its purpose?
The purpose of your risk assessment is to inform decision makers and support risk responses by identifying relevant threats, internal and external vulnerabilities, potential impact of those threats, and the likelihood that harm will occur. Understanding your cybersecurity risk puts you in the best position to make sound decisions and avoid unwelcome incidents. Your risk assessment results  serve as a roadmap that helps you strategize, implement, and mature an effective security program.

Why do banks and credit unions struggle with risk assessments? 

The first problem the finance industry struggles with is that IT risk assessments cover both in-depth cybersecurity concepts and business concepts. Risk assessments are the bridge between the technical and the non-technical, where fewer people are comfortable. Many of the people who understand the business impacts of technology risk aren’t inclined to delve into the technical details; and many people who work in the technical details aren’t inclined to investigate the business details.

Coincidentally that is where I (Randy) am most comfortable. When I read the NIST 800-30 Risk Management Guide in 2002, shortly after it was published, I was hooked. I knew the approach to cybersecurity laid out in the document was the best way to manage an information security program. Unfortunately IT risk assessment didn’t become part of the conversation until late 2005, three years after 800-30 was published. 

In addition to IT risk management being a complicated blend of technical and non-technical, NIST 800-30 doesn’t do a very good job of transitioning between general concepts and detailed action steps. So even though it is widely considered to be the gold standard in IT risk management, it is very difficult to implement.

Microsoft made an attempt at providing detailed guidance in the mid-2000’s. The problem was it consisted of 300+ spreadsheet tabs. I read  through it to make sure I understood it in full detail. But I never came close to using it, knowing I would be the only person on the planet to ever review the entire report.

For the last two decades our industry has been trying to master the complex topic of IT risk management. Most of the guidance available is either too general to help organizations make sound IT risk decisions or too detailed to be completed without an army of risk analysts.

Consequently there really is no prescriptive guidance available to help.

THE FUNDAMENTALS OF AN IT RISK ASSESSMENT

There are four steps to an IT risk assessment

1. Prepare for the Assessment
2. Conducting the Assessment
3. Communicating the Results 
4. Maintain the Assessment
   
   

How to prepare for your IT Risk Assessment

1. Identify the purpose of the assessment
• Determine the information that the assessment is intended to produce and the decisions the assessment is intended to support.
2. Identify the scope of the assessment
• Determine the organizational applicability, time frame supported, and architectural/technology considerations.
3. Identify the assumptions and constraints associated with the assessment
• Assumptions and constraints identified by your financial institution during the risk framing step and included as part of the organizational risk management strategy do not need to be repeated in each individual risk assessment.
4. Identify the sources of information to be used as inputs to the assessment
• This might include the design of and technologies used in organizational information systems, the environment in which the systems operate, connectivity to and dependency on other information systems, and dependencies on common infrastructures or shared services. 
• This information is found in system documentation, contingency plans, and risk assessment reports for other information systems, infrastructures, and services.
5. Identify the risk model and analytic approaches you’re going to use for the assessment
• Quantitative, qualitative, or semi-quantitative
• Threat-oriented, asset/impact-oriented, or vulnerability-oriented
  
  

Conducting your IT Risk Assessment

1. Identify threat sources that are relevant to your institution
• Include capability, intent, and targeting characteristics for adversarial threats and range of effects for non-adversarial threats
2. Identify threat events that could happen due to those sources
3. Identify vulnerabilities within your institution that could be exploited by threat sources through specific threat events and the predisposing conditions that could affect successful exploitation
4. Determine the likelihood that the identified threat sources would initiate specific threat events and the likelihood that the threat events would be successful
• Take into consideration the characteristics of the threat sources that could initiate the events, the vulnerabilities/predisposing conditions identified, and the institution’s susceptibility reflecting the safeguards/countermeasures planned or implemented to impede such events.
5. Determine the adverse impacts to your institution’s operations and assets, individuals, and other organizations resulting from the exploitation of vulnerabilities by threat sources (through specific threat events)
6. Determine information security risks as a combination of likelihood of threat exploitation of vulnerabilities and the impact of such exploitation, including any uncertainties associated with the risk determinations
   
   

Communicate Your Results
We’ve already determined that the end result of your IT risk assessment should serve as a roadmap to make informed decisions. So make sure this assessment doesn’t just get filed away and checked off the list as done. Discuss the risk assessment results with the decision-makers in your financial institution to support risk responses and improve your overall security strategies. Let this be a real tool in your cybersecurity arsenal. 

Maintain Your IT Risk Assessment
The results of your IT risk assessment should be used to inform risk management decisions and guide risk responses. To support the ongoing review of risk management decisions (think acquisition decisions, authorization decisions for information systems and common controls, or connection decisions) your financial institution must maintain the assessment to incorporate any changes detected through risk monitoring.

Risk monitoring let’s you, on an ongoing basis: 

• Determine the effectiveness of risk responses
• Identify risk-impacting changes to organizational information systems and the environments in which those systems operate
• Verify compliance

Maintaining risk assessments includes:

• Monitoring risk factors identified in the assessment on an ongoing basis and understanding subsequent changes to those factors
• Updating the components of the assessment reflecting the monitoring activities carried out by your institution
  
  
  

ADVANCED IT RISK ASSESSMENT TECHNIQUES 

Part of our mission at Rivial Data Security is to constantly go beyond the fundamentals, innovating and discovering better ways to add value for our clients. We use several advanced techniques in our IT Risk Assessment solution that reduce the amount of effort required of our clients, streamline the process of collecting risk information, and improve the risk assessment results.

Below is a summary of the approach Rivial Data Security uses. If you want to dive into these advanced IT risk assessment techniques, check out this blog post for all the details. 

1. Identify Information Assets
2. Using an Asset-Based Approach and Identifying Information Systems
   
3. Measuring Risk in Financial Terms
   
4. Determine Your Loss Tolerance
5. Ongoing Updates
   
6. Utilize Key Performance Indicators
   
7. Improve Efficiency with Compliance Integration
   
   

WE'LL LET YOU IN ON A FEW INSIDER SECRETS TO SUCCESS 

Secret #1
Get executive buy-in first. Yes, it may be putting the cart before the horse, but not only will this make execution easier it will help your assessment have real utility in the end.

Secret #2
Select a methodology that fits your culture, or create one if you can’t find the perfect fit. It is important to find a process that is just right. As we mentioned previously in this article--if the process is too detailed it won’t be used; if the process is not detailed enough it won’t provide much value.

Secret #3
Report meaningful information regularly. Put a monthly review meeting on your calendar and be disciplined about updating the risk assessment details.

Secret #4
Refer to risk measures regularly when making decisions. It might seem foreign and awkward at first. But as you use the risk assessment for decision making you will find (and fix) gaps in the risk management process and get better over time.

DOWNLOAD RIVIAL'S IT RISK ASSESSMENT GUIDE

WHY YOU SHOULD BE USING RIVIAL’S REAL-TIME RISK ACCORDING TO NIST

“Risk assessments are not simply one-time activities that provide permanent and definitive information for decision makers to guide and inform responses to information security risks. Rather, organizations employ risk assessments on an ongoing basis throughout the system development life cycle and across all of the tiers in the risk management hierarchy—with the frequency of the risk assessments and the resources applied during the assessments, commensurate with the expressly defined purpose and scope of the assessments.”

Rival Data Security offers a unique solution that addresses NIST’s advice called Real-Time Risk. By leveraging in-house risk assessment software, Rivial proactively models the risks that your institution faces. Our unique approach to information risk assessment allows you to identify and correct key data privacy and security-related issues before they arise and helps manage your institution's security 12 months out of the year.

GET TO KNOW RANDY LINDBERG

Randy has more than 21 years of experience in the cybersecurity field, beginning as an Air Force Officer and including consulting, Fortune 50 retail, healthcare, and banking. As a thought leader and pioneer in IT Risk Management, he designed the first assessment for the State of Florida in 2003, completed a risk assessment of the largest pharmacy application in the United States in 2005, designed the original Quantivate IT Risk Management module in 2010, and created Rivial Data Security's Real-Time Risk model, the world’s first ongoing risk management solution for financial institutions. At Rivial, he partners with financial institutions to improve cybersecurity and compliance programs. He has an MBA in Technology Management and several industry certifications including CISSP, CISM, and CRISC.