“Through 2020, the majority of organizations will continue to misuse average IT security spending figures as a proxy for assessing security posture” –IT research and advisory firm, Gartner (full report available to clients)
In other words, businesses are mistakenly relying on IT security spending as their sole strategy to protect themselves against cyberthreats. This false sense of security means businesses are neglecting continual assessments and system updates.
Data breaches at large firms with deep pockets, such as Delta Air and Sears, are proof that IT security spending alone does not safeguard your business—you must also invest the time and effort needed to assess your organization’s security health.
Regular security assessments are a must for organizations large and small. They’ll help you be prepared for emerging digital threats, and they contribute to a culture of cybersecurity among your team—which is crucial, since employees are shown to be some of the weakest links in your security structure.
We’ve created an easy-to-use security assessment template to guide you in evaluating your business’ security posture. In this article, we’ll take a deep dive into the components that make up a thorough and effective IT security assessment strategy.
Test your cybersecurity readiness: Security assessment template
A security assessment is an exercise that tests your organization’s security posture by identifying potential risks, evaluating the existing controls, and suggesting new controls.
You can do regular security risk assessments internally; it should be a joint effort between your IT staff and business unit leaders.
We’ve created this security assessment template to make the process easier. It incorporates all the components of a thorough check up of your systems and will help you put a more solid security strategy in place.
Use our security assessment template to save time and effort in building a framework for your cybersecurity strategy.
To understand what goes into a security assessment, and to use the template most effectively, you need to understand the different steps involved. Over the next few sections, we’ll take you through the major steps involved in a security assessment.
4 components of a security assessment
Breaking down your security assessment into these four major steps will help to ensure the process goes smoothly and that there are no major holes in your cybersecurity strategy.
However, in some cases, you may need to work backward. If you become aware of a general risk that your industry is facing—for example, hackers breaching point-of-sale transactions to steal credit card details—you can start with that risk and then identify any threats or vulnerabilities that could contribute to it.
To complete your security assessment template, use the step-by-step approach we outline in the following sections. Create your own tables like the examples below, and then copy relevant information from the tables into the security assessment template for a comprehensive overview.
It’s a good practice to conduct a comprehensive security risk assessment every two years, at least. You can also conduct independent vulnerability or threat assessments on a more routine basis using dedicated software tools.
Threat assessment: Potential areas of disruption
A threat is anything that can contribute to the interruption, tampering, or disruption of your normal services and operations.
Threat assessment is not just a cybersecurity concept. This process is used widely by different organizations from the U.S. Secret Service to schools to corporations in order to understand events and other factors that disrupt normal operations.
Threat assessment involves the following steps:
- Identification. List any factors that may lead to an unfavorable event, such as system downtime, ransomware attacks, data loss, or business disruption. These factors can either be man-made or natural disasters. Use past experiences of your own or of your peers, as well as news reports and industry statistics, to build a comprehensive list of threats.
- Assessment. Evaluate threats and grade them in terms of their capability of carrying out an attack (ability to cause damage) and their level of motivation (degree to which the threat agent wants to inflict damage). Give a low rating to threats that have little or no capability and motivation and a high rating to those that are both highly capable and highly motivated. This grading system for threats will help you quantify the risks, which we’ll discuss in more detail later in this article.
- Management action. Develop plans to address the identified threats. If the threat stems from within the organization, such as employee frustration, try to address it with help from HR. For natural disaster threats, put controls in place to minimize the impact. Also, explore your system for vulnerabilities that the threat may target. (We cover this in more detail in the next section on vulnerability assessments.)
Here’s an example of a simple threat assessment matrix:
|Hacker from outside|
Note: The actual threats and their ratings will vary from business to business. The table is only meant to be explanatory.
Vulnerability assessment: Find your weak spots
Vulnerability assessment focuses on identifying, quantifying, and rating the weaknesses or gaps in your system.
In addition to your IT systems, you can conduct a vulnerability assessment of other business systems, including communications, water supply, or transportation.
As with threat assessments, you’ll follow these steps for your vulnerability assessment:
- Identification. Catalog your IT assets and list their potential vulnerabilities. This could be an unprotected data storage system, use of weak passwords, unprotected communication lines, or staff with inadequate security awareness training. Penetration tests, which simulate cyberattacks to identify vulnerabilities, are one way to identify gaps in your system. A less costly option is to use IT security software or a dedicated vulnerability scanning tool, which crawls your systems to check for weak spots.
- Assessment. Grade vulnerabilities according to their severity (extent of damage caused
if the vulnerability is exploited) and their exposure (other assets that will be affected when the vulnerability is exploited). Rate each vulnerability on a scale of 1 to 5 based on severity and exposure level, where 5 is the most severe with the highest level of exposure.
- Management action. Discuss actions that will help prevent vulnerabilities from being exploited. Patch management tools can help you quickly plug some holes. For long-term solutions, review and update your security strategies and policies.
Here is a tool that can help you record your findings from a vulnerability assessment:
|Incomplete SQL codes left by a freelance web designer leading to SQL injection attacks|
|Default operating system configuration allows all programs to run automatically|
|Missing patch permits unauthenticated command prompt|
Note: The ratings are primarily for illustrative purposes and may vary based on the nature of your business and your IT environment.
Risk assessment: Likelihood of a breach
Risk assessments measure the probability of a security breach occurring and the magnitude of the risk. Risk is the potential for the loss, damage, or destruction of an asset any time a threat successfully exploits a vulnerability.
For example, there is a risk that a phishing email (the threat) could dupe an untrained employee (the vulnerability) into giving away financial details. The occurrence of this risk can be classified qualitatively (high, medium, low) or quantitatively on a scale, such as 1 to 5.
Here are the broad steps for risk assessment:
- Identification. This stage identifies how the threats you’ve identified in the first step will exploit your system vulnerabilities, which you identified in the second step. You’ll also need to look at which assets are at risk, as well as who could be affected.
- Assessment. Assess how probable the occurrence of the risk event is and the potential loss as a result of it. The likelihood of a risk depends on the strength of the threat and the extent of the vulnerability. For example, there is a higher risk of a hacker spying on your system when you’re on unsecured public Wi-Fi than of a natural calamity destroying your database systems.
- Management action. Identify tools and processes that will mitigate your risks. You must also evaluate how efficient your existing systems are in the face of these risks. Patch vulnerabilities to bring risk levels to the lowest likelihood.
Here is a simple table to help you record your risks:
|Likelihood of occurrence||Existing controls||Proposed mitigation measures|
|Virus attack leading to system crash caused by an employee visiting a malicious website||Anti-virus installed on all office desktops||● Strengthen internet usage policy. Use DNS blocking to blacklist access to certain websites.
● Implement sandboxing technologies to curtail a virus attack.
|Loss of customer data due to a hacker breaking into the system by cracking admin passwords||Access controls on customer information||● Use encryption tools to hide data.
● Implement two-factor authentication along with access controls.
|Leakage of intellectual property (IP) information to a competitor||● Access controls on IP information
● Legal protection exists on all significant IPs
|Implement data loss protection (DLP) mechanisms to detect exfiltration of data.|
Note: The table data is primarily for illustrative purposes and may vary based on your business needs.
Impact assessment: Effects of a security incident
Impact assessments identify the ways and the extent to which your business will be affected by a security breach.
According to Common Vulnerability Scoring System, an open framework for recording the severity of software vulnerabilities, impact is measured using the following three metrics:
- Confidentiality. The effect a security breach has on the privacy of the data stored in the system.
- Integrity. A measure of how the authenticity of the data has changed after a breach.
- Availability. This metric calculates the loss of availability of the IT system affected by the cyberattack.
System downtime, loss of work hours, and data loss due to a security breach impacts your day-to-day operations. A cyberattack can also cause customer churn and invite action from regulatory bodies.
The full impact is not usually not limited to one area, but affects many facets of your business: brand equity, employee morale, financial strength, business partnerships, and more.
The below table helps to broadly qualify the impact of a risk on four major parameters.
|Business impact||Customer impact||Financial impact||Regulatory impact|
|Virus attack leading to system crash caused by an employee visiting a malicious website|
|Loss of customer data due to a hacker breaking into the system by cracking admin passwords|
|Leakage of intellectual property (IP) information to a competitor|
Note: The values in the table are primarily for illustrative purposes and may vary based on the nature of your business.
Now that you’ve determined your biggest threats, areas of vulnerability, the risks you’re facing, and the impact of those risks on your business, you have all the data you need to complete an internal security assessment.
Use the security assessment template to record your findings, provide your team a comprehensive view of the business’ security posture, and put in place new controls to safeguard your systems and data.
If you find it challenging to identify vulnerabilities or risks due to lack of resources and/or expertise within your organization, you can seek assistance from third-party vendors that specialize in security assessments. Thirty-seven percent of firms report employing a managed security services provider (MSSP) to help monitor cyberthreats.
Third-party security assessment service providers have experienced and certified staff who can conduct a thorough assessment of your security posture and advise you on controls. Many of these service providers also help you implement the suggested safeguard measures.
To learn more about security assessments or other topics related to IT security, check out our other posts on GetApp’s Security Lab: