Defensible Tech TeamNovember 23

Getting to Know Defensible's Risk Assessment Methodology

iStock-1166334015

Determining your information security risk tolerance level is critical. Data breaches are expensive in terms of financial cost, time, and reputational damage. To put yourself in the best position to prevent data breaches, you need to know how well your current program is actually securing your business. You also need to know how the gaps in your program correlate with breaches in order to prioritize improvements. In short, risk assessment is integral to your security program.

Defensible offers services to help you Assess, Remediate, and Manage your risk — to ARM your organization with what it needs to secure sensitive data. Our risk assessment methodology is focused on helping you assess your current cybersecurity plan and improve your overall security posture. 

What Is Defensible’s Risk Assessment Methodology?

Defensible’s risk assessment methodology gives your business a practical view of risk from multiple important perspectives. That includes an external risk perspective: what an attacker can see, what weaknesses they can find, and what data they can target. It also includes an internal risk perspective: how information security policies, operations, and controls are tailored to prevent, detect, and respond to attacks.

To determine your risk tolerance, Defensible’s analysts compare their findings in your business to common patterns in technology, policies, and governance that lead to real data breaches. Defensible’s risk assessment methodology gives you a comprehensive view of your current level of data breach risk. We also show you how well your business is equipped to prevent and respond to a data breach.

Direct Root Cause Analysis

From the technical side, a risk assessment requires identifying issues in the environment that are correlated with a higher risk of getting breached. Though every data breach is different, there are common technical root causes that are identified as part of many data breaches according to industry practice and important publications like the Verizon DBIR. The most common technical root causes of a data breach include:

  1. Unencrypted Data
  2. Phishing
  3. Malware and Ransomware
  4. Third Party Compromise
  5. Software Vulnerabilities
  6. Inadvertent Mistakes
  7. Credential Theft

Our team evaluates these from an attacker’s point of view, using publicly available information, open-source intelligence (OSINT), vulnerability scanning, and security ratings to identify the presence of common technical root causes. A risk assessment is not a penetration test, and these issues are not actively exploited during a risk assessment. However, they do build a picture of how an outside attacker can compromise the network and cause issues such as ransomware infection, data breach, financial theft, or loss of customer or client trust. 

Policy and Governance Review

Just as on the technology side, there are common policy and governance problems that businesses that suffer data breaches have in common. In a risk assessment, it is crucial to identify these shortcomings in order to make impactful decisions for improving your security program. The most common policy and governance issues that are correlated with data breaches include:

  1. Lack of prioritization of security initiatives
  2. Under-investment in security goals
  3. Poorly defined policies and standards

In order to gather this information, we collect and review written information including policies, standards, guidelines, procedures, and technical documentation. Documentation is only part of the picture, however. We also develop context through interviews.

Technical and Functional Interviews

Security is not only about technology and processes, but also about people. To get a clear idea of your risk, the technologies in place, and the processes that are supposed to be followed paint part of the picture. However, a reliable picture of your security posture must consider how people are actually executing the security program. Defensible gathers this information and context through both technical and functional interviews.

Technical interviews are designed to build context around the IT environment and the technical tools that are in place. We talk to the IT teams about the IT and security technologies that are deployed, the processes and systems for supporting them, the security measures in place, the sharing of information, relationships with vendors, and how they conceive of the likely consequences of data loss or breach. These conversations help us understand how your technical solutions contribute to your level of risk.

We also know that risk extends far beyond technology. Our risk analysis methodology also includes functional interviews designed to build context around how information is managed and how data is handled. It includes discussion of information management processes and policies, the impact of information loss, compliance and regulatory concerns, risk tolerance in the company, and security concerns. This helps us assess your risk in the context of your priorities.

CIS Controls Gap Analysis

An important part of a risk analysis is identifying what security controls are in place. We base our controls gap analysis on the CIS Controls. The CIS Controls are quick, cost-effective, and well regarded as a foundation for a controls gap analysis. The 18 CIS Controls are organized into three groups that build on each other:

  1. Basic Security Hygiene and Implementation
  2. Foundational Security Controls and Implementation
  3. Advanced Security Controls

Controls in the environment are scored on a five-point scale: not implemented, slightly implemented, partially implemented, mostly implemented, and completely implemented. These ratings can help your business identify the gaps in your security controls. They also help you start planning for better security.

Learn More About Your Risk

After performing these steps of a risk analysis, we have the information necessary to make analyses and recommendations. These include an assessment of identified risks in the environment. These also include strategic and tactical cybersecurity recommendations targeted at remediating identified risks and gaps in an impactful way. The result of our comprehensive risk assessment methodology is a detailed, informed, and actionable picture that helps you manage your company’s real risk. 

Talk to us to learn more about how you can ARM your organization with Defensible.