Security Lesson #2: Risk Assessment Checklist

Patrick WilliamsonCybersecurity & Compliance

This post on questions that drive your cybersecurity strategy is the third post in our new Security Lessons series. To start from the beginning, read “What we learned as a ransomware victim — so you don’t become one.

In my last blog post, “Security Lesson #1: 9 Foundational Questions That Drive Your Cybersecurity Strategy,” I talked about the importance of analyzing business impact and taking the time to ask questions about risk tolerance and impact.

Equally important is to understand all the vectors of risk. In this post, we provide CPA firms and healthcare clinics a Risk Assessment Checklist to help you evaluate your current risk and identify areas that require focus.

Physical and environmental security 

Equipment security 

  1. Equipment location protection 
    • Isolate items that require special protection to reduce the level of protection required 
    • Adopt controls to minimize risk from potential threats such as theft, fire, explosives, smoke, and flood
  2. Power supplies 
    • Protect equipment from power failures with redundant power supplies, such uninterruptible power supply (UPS), backup generators, or similar
  3. Equipment maintenance 
    • Regular maintenance by authorized personnel
    • Insure the equipment and make sure you meet the insurance requirements
  4. Equipment up to date
    • Change default passwords on routers, computers, firewalls, and other devices
    • Review older equipment to ensure it provides the protection needed
  5. Secure offsite equipment 
    • Review offsite equipment used for information processing
    • Verify that the security provided equal to or better than the security provided on premises 
  6. Secure disposal or reuse of equipment
    • Physically destroy or securely overwrite any storage devices that contain sensitive information 

Organizational security 

Information security policy 

  1. Information security policy document 
    • Publish and communicate an information security policy, approved by the management team, to all employees
    • State management commitments and set out the organizational approach to manage information security 
  2. Review and evaluation 
    • Maintain and review the security policy according to a defined review process
    • Review the policy following any changes that affect the basis of the original assessment, example: significant security incidents, new vulnerabilities, and changes to organizational or technical structure

Information security infrastructure 

  1. Allocation of information security responsibilities 
    • Define responsibilities for protecting individual assets
    • Define responsibility for carrying out specific security processes 
  2. Cooperation between organizations 
    • Identify and maintain appropriate contacts with law enforcement authorities, regulatory bodies, utility providers, information service providers, managed service providers, and telecommunication operators
    • Contact the appropriate organization to get advice in the event of an incident
  3. Independent review of information security 
    • Review security policy implementation independently on a regular basis

Secure third party access 

  1. Identification of risks from third party 
    • Identify risks from third party access and implement appropriate security controls 
    • Identify and classify the types of accesses and ensure that the reasons for access are justified
    • Identify security risks with third party contractors working onsite and implement appropriate controls, such as badges with controlled access, sign in and sign out procedures, and training as appropriate 
  2. Security requirements in third party contracts 
    • Create a formal contract outlining the security requirements to ensure compliance with the organization’s security policies and standards 

Outsourcing 

  1. Security requirements in outsourcing contracts 
    • Address security requirements in contracts with third parties, particularly if the organization outsourced the management and control of all or some of its information systems, networks and/ or desktop environments
    • Determine which third parties sign confidentiality or non-disclosure agreements as a part of their
    •  terms and conditions of the engagement
    • Address in the contracts how to meet legal requirements, how to maintain and test the security of the organization’s assets, audit rights, physical security issues, maintenance of the availability of the services in the event of disaster

Personnel security 

Security in job definition and resourcing 

  1. Include security in job responsibilities 
    • Document security roles and responsibilities in the organization’s information security policy
    • Include general responsibilities for implementing or maintaining the security policy, and specific responsibilities for protection of specific assets, or for extending specific security processes or activities
  2. Confidentiality agreements 
    • Require employees to sign confidentiality or non-disclosure agreements as a part of their initial terms and conditions of the employment
    • Ensure that this agreement covers the security of the information processing facility and organization assets
  3. Terms and conditions of employment 
    • Ensure that the terms and conditions of the employment cover the employee’s responsibility for information security
    • Determine when and which responsibilities continue after the end of the employment and the duration that they continue to apply

User training 

  1. Information security education and training 
    • Provide and require appropriate information security training to all employees and third parties (as appropriate)
    • Share regular updates related to organizational policies and procedures

Respond to security and threat incidents 

  1. Report security/threat incidents 
    • Create a formal reporting procedure to report security/threat incidents through appropriate channels as quickly as possible
  2. Report security weaknesses 
    • Create a formal reporting procedure to report security weaknesses in, or threats to, software, systems, or services 

General controls 

  1. Removal of property 
    • Determine whether equipment, information, or software be taken off site without appropriate authorization
    • Detect unauthorized removal of property through spot checks or regular audits
    • Inform employees of spot checks or regular audits

Asset classification and control 

Asset accountability

  1. Inventory assets 
    • Maintain an inventory or register of the important assets associated with each information system
    • Inventory individual devices, such as laptops, cell phones, and related equipment that leaves the secured office environment

Information classification 

  1. Classification guidelines 
    • Create an information classification plan to determine how information is handled and protected 
  2. Information labeling and handling 
    • Define appropriate procedures for information labeling and handling in accordance with the classification plan

Communications and operations management 

Operational procedure and responsibilities 

  1. Document operating procedures 
    • Identify operating procedures, such as back up procedures, equipment maintenance, and so on in the security policy 
  2. Incident management procedures 
    • Create an incident management procedure to handle security/threat incidents
    • Address the incident management responsibilities and response to security or threat incidents 
    • Address different types of incidents, such as denial of service attacks and breach of confidentiality, and identify how to handle them
    • Maintain audit trails and logs related to any incidents 
    • Take action to ensure that the incident doesn’t reoccur 
  3. External resource management 
    • Review which, if any, information processing facilities are managed by an external company or contractor
    • Identify any risks associated with such management in advance, discuss them, and incorporate appropriate controls into the contract
    • Obtain approval for third party resource management from business and application owners

Computer media handling 

  1. Management of removable computer media 
    • Create a procedure to manage and secure removable computer media such as memory cards, USB sticks, and flash drives
    • Create a formal procedure governing how removable media is disposed in a secure manner
    • Establish a policy for handling external media 

Exchange of information and software 

  1. Information and software exchange agreement 
    • Create a formal agreement between the organizations for exchange of information and software
    • Address security issues based on the sensitivity of the business information exchanged
  2. Other forms of information exchange 
    • Create policies and procedures that protect the exchange of information via voice, facsimile, electronic, and video communication facilities 

Access control 

Business requirements for access control 

  1. Access control policy 
    • Define and document business requirements for access control which should include User access provisioning and termination, management of privileged access etc.
    • Create an access control policy based on a Role based Access Control (RBAC) model aligned to the rules and rights for each user or a group of users 
    • Communicate the business requirements met by access controls to users and service providers

Mobile computing and telecommuting 

  1. Mobile computing 
    • Adopt a formal policy that incorporates the risks of working with laptops, notebooks, cellular phones, tablet computers, or similar portable devices, particularly in unprotected environments such as airports, coffee shops, and hotel lobbies
    • Provide staff training that covers mobile computing devices to communicate potential additional risks and how to implement the business controls that mitigate the risks
  2. Telecommuting 
    • Ensure that all policies, procedures, and standards to control telecommuting activities are consistent with the organization’s security policy
    • Implement suitable protection all endpoints to mitigate risk of threats such as theft of equipment and unauthorized disclosure of information, including remote wipe of sensitive data, enabling multi factor authentication for access, and so on

Business continuity management 

Aspects of business continuity management 

  1. Business continuity management process 
    • Create a process to develop and maintain business continuity throughout the organization
    • Include an organization-wide business continuity plan, regularly test and update the plan, establish and document a business continuity strategy, and so on
  2. Business continuity and impact analysis 
    • Identify events that could cause interruptions to business processes (for example, equipment failure, hurricanes, wildfires, malicious hackers, insider threats) 
    • Conduct a risk assessment to evaluate the impact of these interruptions
    • Develop a strategy plan based on the risk assessment to build an approach to business continuity
  3. Write and implement a continuity plan 
    • Determine the time frame your business operations can be offline without catastrophic impact
    • Develop a plan to restore business operations within the identified time frame if there is an interruption to business processes
    • Test and update the plan regularly 
  4. Business continuity planning framework 
    • Create a single framework of business continuity plan
    • Maintain this framework to ensure that all plans are consistent
    • Identify priorities for testing and maintaining the plan
    • Identify conditions for activating the plan and who is responsible for executing each component of the plan
  5. Test, maintain and reassess the business continuity plan 
    • Test business continuity tested regularly to ensure that they are updated and effective
    • Review business continuity plans regularly and update them to ensure effectiveness
    • Include procedures in the organization’s change management program to address business continuity matters

Some of the items above can be outsourced to a technology partner, while others need to be uniquely assessed by internal personnel. However, as we come out of the current pandemic, you probably have a clearer idea today of your current posture than you ever have had before.