Risk
10/31/2013
04:42 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Once-A-Year Risk Assessments Aren't Enough

Why experts believe most organizations aren't assessing IT risks often enough

While it may be important that security organizations employ effective methods to walking through an IT risk assessment, the frequency with which they go through that process is almost as important as the means of carrying them out. Unfortunately, even when security organizations cover all of their bases in an IT risk assessment, if they don't assess often enough they could still be keeping themselves open to a great deal of risk.

Even though many compliance mandates such as HIPAA require risk assessments only be performed annually, that's not nearly often enough for most organizations, says Gary Alterson, director of risk and advisory services for Neohapsis.

[How do you know if you've been breached? See Top 15 Indicators of Compromise.]

"Given the rapidly changing threat environment and how fast IT moves, I recommend that risk assessments be refreshed and reviewed at least quarterly, if not monthly," Alterson says.

But the reality is that most organizations today have a hard enough time keeping up with their annual risk assessments, says Jim Mapes, chief security officer at BestIT, which is why he says that organizations have to rethink the way they approach the process.

"A better approach is to make risk assessments more of a life cycle and process within the organization," he says. "Perform assessments continuously throughout the year, collecting data on new vulnerabilities, remediation of older vulnerabilities, and identification of problem areas where vulnerability could not be remediated and recording the business decision to mitigate the risk and impact to some other acceptable level."

Crucial to that evolution to a life cycle mentality is building time and resources into the IT life cycle for internal auditors, says Alterson's colleague, Nathaniel Couper-Noles, principle security consultant for NeoHapsis. According to Couper-Noles, one of the most common refrains he has heard from auditees is they're too busy for an internal audit.

"Paradoxically, a lack of reserve capacity actually justifies audit attention as this is often the case when schedules are too aggressive, when projects are in the lurch, controls may be relaxed, and uncorrected small issues lead to bigger ones," he says. "Audit early and audit often, and condition IT teams to design processes and systems so that they can be audited comprehensively, painlessly and effectively."

Part of that design should include day-to-day tracking of operational risk factors that affect the business' security posture. This is especially key for keeping track of changes in the IT environment or the threat environment that happen between assessments. While it may seem a tall task, organizations can at least get started on a more continuous assessment process by prioritizing.

"Don't try to conquer the world all at once! Focus on what matters most by identifying the proprietary, financial, and customer data that we tend to be most risk-adverse about when it comes to its protection," says Luke Klink, security consultant for Rook Consulting.

Finally, most critical is that organizations shouldn't just be assessing risks but also working on mitigating them throughout the life cycle. Leaving the same critical risks to be identified in assessment after assessment is the security equivalent to wheel-spinning and something that Eric Cabetas, managing partner of Include Security, says says organizations do all of the time.

"I've seen a company have an AppSec SDLC assessment conducted yearly, and they pay $200,000 for it just to ignore the recommendations of the consulting company year after year," he says. "The consulting company happily takes their pay and leaves until next year, not providing any value at all to the assessed company. They should have instead done an analysis of why originally identified risks are not being addressed within the client company."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Apprentice
11/1/2013 | 3:51:26 PM
re: Once-A-Year Risk Assessments Aren't Enough
I wholeheartedly agree that the threat landscape right now is changing at too fast of a pace for any organization to wait a fully year in between risk assessments.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.