An effective assessment will likely vary quite significantly from one organization to the next. Your business industry, location, and regulatory requirements will change your specific process. The core foundation of an effective cyber security assessment does however remain the same, regardless of the aforementioned complexities.
- Figure out the scope of your assessment
This will be a lesson in thoroughness. You will need to identify every asset that will be evaluated in order to accurately determine the full scope of the project.
We would recommend starting small with a single asset type and moving systematically through in that fashion.
Once you have chosen your asset type, you will need to figure out any other devices or information it touches in any way.
Take your time on this step of the process as this will ensure you are getting a comprehensive look at your entire network. Cutting corners here could mean critical vulnerabilities being unintentionally ignored.
The likelihood is that you will find that your network is a complex spider-web of information (this may lead to you feeling super overwhelmed). This is the point where we would recommend getting in touch with a partner with tons of experience doing these types of assessments. We handle these types of assessments for our clients all of the time at Techfive :).
- Figure out how valuable each asset is
Once you have completed step 1, it’s time to talk value.
It’s important to remember that the value of an asset likely extends beyond just the cost of the hardware/software. Consider the intangible cost of an asset and the cost of the loss of an asset to your business.
Typically we find most assets’ actual value extends well beyond the expectation. We live in an interconnected world and your business is no different.
For each asset, gather specific information where applicable such as software, hardware, end-users, purpose, criticality, and any security policies in place.
- Identify gaps in your security
This is where a lot of the complexity comes in. It is nearly impossible to do this without having a background in cyber security or information security.
What you are going to want to do is calculate the likelihood of various business loss scenarios. Essentially you are looking to identify security holes, calculate the impact that an exploit would have on your organization, and mitigate those risks.
The most common threats that affect every organization typically include:
Unauthorized access: from attackers, malware, or employee error.
Misuse of info by authorized users: data may be altered, deleted, or used without approval.
Leaked data: identifiable information being leaked intentionally by attackers or unintentionally by poorly configuring systems.
Business disruption: loss of revenue/reputation damage due to business downtime.
I have oversimplified the process here. I would recommend visiting the NIST framework page to get a much deeper dive into cyber security practices.
- Perform an info value vs cost of prevention analysis
This is the way you figure out what to prioritize first and what is most immediately beneficial.
What we are looking for is to assess the importance of securing a category of your data compared to the relative cost for your company to do so.
To do this, you take the likelihood of a threat and its potential impact against the cost of preventing it and compare them against each other. We can then produce a plan for which holes need to be patched first.
Something to remember is that the impact of a cybersecurity incident extends beyond just money. It is common for a brand’s reputation to be negatively affected after suffering from a cyber incident. Take this into consideration when performing your information value vs cost of prevention analysis.