IT Risk Assessment

Uncovering Six Common Issues That Could Impact Your IT Risk Assessment

By Glen Wells, ERMProtect, Sr. Information Security Consultant

In the ever-evolving landscape of information technology (IT), organizations are constantly facing the challenge of mitigating risks to ensure the security and integrity of their systems and data. One important method of identifying and mitigating vulnerabilities is by performing an IT Risk Assessment, an evaluation of critical components and applications to identify potential threats, the probability of them occurring, and the impact they would have on your organization.

I’ve conducted numerous third-party IT Risk Assessments across diverse industries and observed six common issues that trip organizations up. Addressing these issues before an assessment can significantly enhance your organization’s overall risk rating. The common deficiencies are:

  • Outdated Policies and Procedures
  • Inadequate System Access Controls
  • Insufficient Business Continuity and Disaster Recover Preparedness
  • Weak Logging and Monitoring Protocols
  • Lack of System Baseline Standards and Hardening Procedures
  • Insufficient Time Allocated for Personnel Engagement

I will describe each of these deficiencies more in depth as well as provide strategies to avoid them during your own IT risk assessment.

Outdated Policies and Procedure

One risk often overlooked in an IT risk assessment is a thorough review of all policies and procedures related to the processing, transmission, and retention of critical data. A common adverse finding during an IT risk assessment is missing or out-of-date policies and procedures.

An organization depends on a variety of policies and procedures, ranging from Information Security and Business Continuity to HR policies for employee onboarding and offboarding. These guidelines are essential for providing direction and ensuring the smooth execution of day-to-day activities.

Many organizations “update” their policies annually, but this process rarely includes more than a cursory review of the policies without attention to the small details that have changed over the course of the previous year. Year after year, these small details add up and diminish the effectiveness of the policy itself.

The threat landscape is always changing which is why it is very important for organizations to stay ahead of them with up-to-date security policies. By failing to establish, review and update the policies and procedures of an organization, you may find yourself relying on outdated information that may not adequately address the current risk environment. This can lead to vulnerabilities not being properly identified or mitigated resulting in compromised security.

This issue can be addressed by establishing an annual review process that provides a thorough review of all policies and procedures to ensure that they are updated with the current industry best practices for your threat environment. Regular training sessions for employees can help to inform them of updated information and reinforce the importance of following the established procedures.

Inadequate System Access Controls

The protection of data and critical applications is only as strong as the management of the user permissions assigned to those applications. During an IT Risk Assessment, it is often observed that users are frequently granted permissions in critical applications which provide them with more access and rights than they require to perform their daily tasks.

Access to each application should be determined by the employee’s need to access the application and assigned using the fundamental principle of least privilege. By providing unnecessary elevated privileges and access to critical applications, an organization increases the risk of unauthorized access, security breaches, and potential exploitation of sensitive information or system.

One way to mitigate the risk of unauthorized access or excessive permissions is to implement Role-Based Access Control (RBAC). Implementing RBAC will ensure that access permissions and privileges are associated with an employee’s role and granted based on their responsibility in the organization. Additionally, logical access reviews should be completed at least annually and more frequently (semi-annually or quarterly) for critical applications.

Insufficient Business Continuity and Disaster Recover Preparedness

Critical applications, system components, and functions are the lifeblood of many organizations, and their proper functioning is integral to business continuity. Oftentimes in an IT risk assessment an organization will fail to correctly identify and include these critical pieces in the Business Continuity and Disaster Recovery plans or will fail to test the plan itself to ensure it works seamlessly. The failure to identify and include all critical applications and functions in these essential plans can cause excessive downtime and data loss due to the organization having to bring these systems back up on the fly.

To mitigate this risk, organizations should conduct a comprehensive Business Impact Analysis (BIA) to identify critical functions and applications to properly prioritize their recovery. Once the BIA has been completed and the Business Continuity and Disaster Recovery Plan has been approved, the plan should be tested at least annually to verify its effectiveness, identify weaknesses, and continuously improve resilience.

Weak Logging and Monitoring Procedures

The key to identifying and mitigating potential risks in an IT environment is visibility into that environment. The primary method of achieving the required visibility is through security log monitoring and review. Often, insufficient log collection or review contributes to an increased risk environment. In addition to the collection of critical security logs (Access and Authentication, Firewall, IDS/IPS and more), real time monitoring of the logs should be in place, or the organization may fail to detect malicious activities or unauthorized access in a timely manner.

To address this issue, a robust logging and monitoring system should be implemented to capture relevant data such as user activities, system events, and network traffic. Regularly analyzing these logs, in conjunction with automated alerts for suspicious behavior, will help organizations to proactively identify and respond to potential threats. Additionally, investing in a security information and event management (SIEM) tool can further enhance the ability of an organization to detect and mitigate risks in an effective manner.

Lack of System Baseline Standards and Hardening Procedures

The use and maintenance of system baseline standards and hardening procedures in mitigating known vulnerabilities cannot be overstated. Without such standards and procedures, an organization may leave their systems exposed to exploits that could have otherwise been prevented. Weaknesses in system configurations are well known among malicious actors and will be leveraged whenever possible. Without uniform guidelines for system hardening, devices may not be configured in a manner that protects them from the most well-known vulnerabilities. Additionally, the inconsistencies from configuration to configuration will result in a fragmented security landscape making it even more difficult to effectively assess and manage risk.

System Baseline Standards and Hardening procedures should be well documented and updated as needed as new vulnerabilities are identified in the systems deployed in an organization. The development and use of up-to-date system baseline standards and hardening procedures for each component within an organization’s environment will mitigate risks assessed during an IT risk assessment.

Insufficient Time Allocated for Personnel Engagement

When engaging with a third-party to conduct an IT risk assessment, one of the single most underestimated aspect is the amount of time and effort required for an organization’s IT personnel to gather and provide evidence as well as be available for interviews and walkthroughs of department processes and system components. Often, the assessment process becomes delayed and drags out much longer than expected because employees do not have sufficient time to contribute to the assessment while still handling their day-to-day responsibilities. By not completing the risk assessment in a timely manner, the identification and resolution of critical vulnerabilities can be delayed allowing the risk to persist.

To address this issue, the time constraints faced by their personnel should be recognized by the organizations to plan the assessment accordingly. Adequate preparation time, clear communication, and a streamlined process can help minimize the burden on employees, ensuring their active participation without compromising their regular duties. Additionally, leveraging automation tools for data collection can expedite the assessment process and reduce the manual workload on personnel.

IT Risk Assessments are Critical

In conclusion, IT Risk Assessments play a critical role in protecting organizations against ever changing cyber threats. As highlighted in this article, addressing common deficiencies before completing an assessment is key for improving overall risk management. By recognizing and remediating outdated policies and procedures, inadequate access controls, insufficient business continuity planning, weak logging protocols, substandard system baseline and hardening procedures, and allocating sufficient personnel time for the engagement, organizations can not only fortify their resilience against potential threats but improve their overall risk ratings while promoting a robust and security IT environment.

ERMProtect Can Help

We can help your organization conduct an IT risk assessment. For more information, contact Silka Gonzalez at [email protected] or Judy Miller at [email protected] or call  at 305-447-6750.

Glen Wells is a Senior Information Security Consultant at ERMProtect Cybersecurity Solutions. He is a Certified Information System Auditor (CISA) who conducts risk assessments of all types for enterprises in multiple industries including finance, healthcare, government, and retail.

Subscribe to Our Weekly Newsleter

Intelligence and Insights

pci dss compliance

Why PCI Standards Are Just the Starting Point for Securing Payment Data

While PCI DSS compliance offers a solid baseline, it is not an all-encompassing solution to build a proactive and resilient data security framework …
pci dss in the cloud

How to Achieve PCI Compliance in the Cloud as Security Controls Evolve

The integration of cloud services with PCI DSS compliance is particularly crucial for enterprises that handle sensitive payment card information …
Digital Forensics Investigation

What Are the 5 Stages of a Digital Forensics Investigation?

In this article, we delve deeply into the five stages of a digital forensics investigation and provide tips on how to select the right digital forensics company …