When was the last time you got a physical?
You didn’t get one because you like it; you got one because it’s designed to uncover risks you may not have recognized and design a plan to protect you. You got it because it’s the right thing for your long-term health. So if you’re willing to get one for your body, are you willing to get one for your business?
Your organization encounters viruses, intrusions, and attacks every day; it is the nature of conducting business in our Internet-connected world. A cybersecurity risk assessment is much like your annual physical: you need to do one at least once-a-year. An annual cybersecurity risk assessment may uncover a vulnerability that a malicious hacker can exploit. You can then “prescribe” a patch or a configuration change to mitigate the risks. If you don’t take the time to assess your risks, you can’t manage them and your organization will be unnecessarily exposed.
Check Your Technology
There are several questions to consider when choosing an assessment framework.
- Is your organization mandated to meet regulatory compliance standards such as PCI, HIPAA, or others?
- Does your company have contractual terms with a client that dictate minimum cybersecurity requirements?
- Do you conduct business in other nations which may have specific regulations with which you must comply?
Once you establish a framework, your cybersecurity “physical” can begin. Every assessment, regardless of the framework, shares the same protocol to identify threats. We begin with a review of your organization’s cybersecurity policies and procedures. Once the policy review is completed, the assessor interviews key personnel responsible for implementing the policies to ensure that they are aware of the policy and consistently follow the related procedures. Interviews are then substantiated by inspecting and testing that the policies and procedures are correctly implemented. Technical testing such as a vulnerability assessment or penetration test of the network and applications is usually the final step.
Once the threats have been identified, the assessor will work with you to determine the inherent risk and likely impact for each threat. A threat that may pose a high risk to one organization may only be classified as a low risk at another. This process lays the groundwork for the remediation plan, or prescription, which is the final product of your risk assessment.
Why risk the health of your organization? Matrix Integration can help you determine the right framework and get you started on the road to “cyber-health”.