How to write a cyber security risk assessment report
A cyber security risk assessment report is a fact-finding mission designed to uncover and quantify the IT security risks facing an organisation.
The risk assessment itself is the process of identifying, analysing and evaluating the risks posed to business assets, processes and IT workloads. Internal and external threats are isolated, identified and scrutinised with a view to implementing controls and strategies designed to prevent, reduce and mitigate risk.
The cyber security risk assessment report is the end product of the risk assessment. It serves as a roadmap towards implementing effective controls across the entire risk spectrum, from malware and ransomware to traffic monitoring, endpoint security and user-level controls.
This guide provides step-by-step instructions on how to write a cyber security risk assessment report.
WHAT IS A CYBER SECURITY ASSESSMENT REPORT?
Cyber security assessment reports involve conducting an in-depth analysis of an organisation’s IT infrastructure and policies to uncover risks and vulnerabilities.
The goal is to identify strengths, weaknesses and areas that require improvement with security controls. The assessment's size and scope vary with the business's size and complexity.
DO BUSINESSES NEED TO CONDUCT IT RISK ASSESSMENTS?
IT risks are proliferating, and stats show that virtually all businesses are vulnerable in some way.
- Cyber crime is a persistent threat that erodes global GDP by almost 1% each year, by some estimates.
- Losing payment card or personally identifiable information can cost around $150 per record lost, which means even small businesses with around 10,000 customers face losing millions in the event of a data breach.
- Some 60% of smaller businesses close within 6 months of being hacked.
- Larger firms face losing up to $5,600 every minute of downtime. A 14-hour Facebook blackout in 2019 cost them $90mn, and though a DDoS was suspected, they didn’t release the exact cause.
Businesses conduct cyber security risk assessments to identify IT risks and reduce potential downtime and disruption. This enables them to:
- Discover and rank risks.
- Strategically target risk-reduction strategies.
- Provide assurance to the board.
- Take a step towards cyber security accreditation.
Read our detailed guide to cyber security assessments and why businesses need them.
Cyber security risks are fast-evolving. By proactively identifying and addressing threats, businesses can clamp down on vulnerabilities, provide assurance to stakeholders and clients and focus on innovation and growth in the knowledge that they’re well-protected
CONDUCTING A RISK ASSESSMENT
Writing the report involves a multi-step process that progresses from discussions about business architecture, processes and workloads before diving into risk identification, control selection and technical deep dives on IT infrastructure.
Here’s how to perform a cyber security assessment report in 8 steps:
1. Pick a cyber security framework
Cyber security authorities and institutions have created several frameworks that act as a reference for implementing cyber security improvements and assessing existing technology and business infrastructures.
- The US National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF).
- The UK National Cyber Security Centre Cyber Assessment Framework (NSCS CAF).
- The International Standards Organization (ISO) frameworks (ISO/IEC 27001 and 27002).
- The Center for Internet Security CIS Critical Security Controls (CIS CSC).
- The Payment Card Industry Data Security Standard (PCI DSS).
These frameworks are designed to direct businesses and organisations to established IT security benchmarks and best practices. You can find more information on cyber security frameworks here.
An initial step in carrying out an assessment is to identify which framework is best suited to your business. Sometimes a combination of frameworks may also apply, such as when an organisation needs to comply with PCI DSS and also wants to achieve ISO 27001 certification.
When Nicolson Bray writes a cyber security health check, we typically use a blend of CIS Critical Security Controls and ISO 27001 Annex A, but we can add other frameworks as required. Some businesses may require custom controls that tailor the control set to the business’s specific needs.
2. Identify cyber business risks
Identifying cyber business risks involves working with senior leadership to understand what types of cyber incidents could have a material impact on the business. For instance, how would a large data breach impact the business’s reputation and ability to sign new customers and clients?
This normally takes the form of a workshop or a series of one-to-one interviews and an in-depth analysis of IT policy and processes and on-premises, cloud and distributed architecture.
The analysis is general at first - what types of risks do businesses in this sector typically face? What type of data is being stored and transferred? Has the business been the target of cyber attacks before, and if so, what happened and why?
Part of this exercise should also include rating these risks to understand their relative impacts. This enables initial prioritisation.
Achieving an overarching understanding of cyber business risk is fundamental to selecting controls and performing technical deep dives.
You can find more about identifying cyber business risks in our article on Reporting Cyber Security to the Board.
3. Choose controls from cyber security framework
Each framework contains a series of controls that can be implemented across any business. However, not every control is relevant to every business.
For instance, data leakage prevention controls (DLP) are not relevant to companies which do not process or store sensitive data.
The selection of controls depends on the identified cyber business risks. Controls should be selected on the basis of their ability to mitigate particular cyber business risks. In the example above, DLP controls should be selected to mitigate risks centred around data breaches of sensitive information.
Having said that, some controls are foundational or essential. For instance, controls around passwords, use of 2FA and security patching are critical to every business and so should always be selected. These controls are generally identified within the cyber security framework.
Selected controls are then tailored to the business’s systems and infrastructure.
Above: There were 20 CIS Controls prior to v8, which now has 18 controls
4. Create a checklist
Checklists are created from appropriate controls. Creating a checklist ensures the assessment is carried out consistently and logically, and that information is collected and collated in one place.
You can use Excel to create your checklist, or there are a number of Governance Risk, and Compliance (GRC) tools which can be used to the same effect
Once complete, these checklists store critical information about the security of your company, and so should be kept in a secure location.
5. Identify data & technology assets
Once a checklist has been created and agreed upon, data and technology assets are identified.
Data and technology assets interact throughout an organisation. Technology assets include both hardware systems (e.g. servers and routers) and software (e.g. databases, applications and SaaS). Technology assets often deliver critical operational processes to an organisation, such as taking bookings for an online travel agency.
Data assets are the types of data which flow through the technology assets, such as customer data, financial data and personnel data.
Two exercises which can be useful to identify data and technology assets are:
- Creating data flow maps of data through the company
- Identifying the critical processes and systems for the company
This should help identify which assets should be assessed.
6. Assess controls on data & technology assets
Current controls are checked and audited against the checklist to discover what the business is currently doing to protect its assets and data. Control assessments answer the following questions:
- Are control technologies robust and fit for purpose?
- Are they adequately resourced?
- Are controls well-maintained and up-to-date?
- Is control-related education and training sufficient to maximise protection?
- Are controls proportionate to the value of the asset?
The key here is trying to identify gaps in controls. For example, a business might have adequate controls for its on-premises SQL servers but inadequate controls on SQL instances in the cloud.
After identifying these gaps, it’s then possible to quantify and qualify risk to create the final report.
7. Quantify or qualify risk
Quantifying and qualifying risks involves assessing data and technology assets against the control gaps to gauge relative risk. Business-critical systems and processes warrant the most attention as they exhibit higher risk. Control gaps on high-risk assets are assigned a higher priority than gaps on lower-risk assets.
8. Create report
Presenting findings involves communication with key decision-makers. A detailed cyber security risk assessment report should contain the following:
- Full list of identified risks with understandable ratings.
- Short-term strategies and controls, or ‘quick wins’, that can be implemented almost immediately for rapid security gains.
- Recommendations listed by priority for targeting cyber security budgets and investment.
- Detailed descriptions of all risks and vulnerabilities.
- In-depth analysis of controls with appropriate technical depth for IT teams to implement changes.
- If required, technical delivery of recommendations.
WHO SHOULD BE INVOLVED IN CREATING SECURITY ASSESSMENT REPORT?
Writing a cyber security risk assessment report is a collaborative exercise. Since cyber security percolates all business teams and departments, it’s vital to establish a top-down understanding of risks so key individuals can disseminate knowledge across the business.
Above: Writing a cyber security risk assessment report should involve collaboration from senior management and relevant team leaders/key members of departments exposed to the highest risk
A robust cyber security risk assessment report should involve the following individuals and teams:
- Experienced cyber security professionals: Cyber security professionals lead assessment activity, starting with initial discussions with senior management before collaborating with risk management, IT teams, etc.
- Senior management team: To build an understanding of business activity, past issues and future direction, assessments should involve the CEO and other members of the senior management team, such as the CFO, COO and CRO.
- Audit & risk management: If the company has pre-existing internal risk management functions, these should be involved in the assessment to discuss relevant risk management strategies, compliance obligations, etc.
- CIO/CTO & Head of IT: Discussions progress to technical analysis and risk identification. This requires input from CIOs or CTOs and the Head of IT. The business’s core IT infrastructure, processes and workloads are identified.
- Lead architect: Where present, the Lead Architect can inform cyber security professionals of IT architecture and data assets. The assessment progresses towards a deep dive into relevant systems.
- IT security manager and IT engineers: IT engineers assist in the technical deep dive into technical controls in place, as well as system risk exposure and vulnerabilities. Different departments may have different IT teams or engineers responsible for specific functions.
The ideal process involves collaboration between cyber security professionals, senior management and relevant departments and functions within the business.
Of course, not all businesses have dedicated risk management and security functions, but the core message remains the same: cybersecurity affects virtually every aspect of a business, including managers and employees at all levels.
SUMMARY: CYBER SECURITY RISK ASSESSMENT REPORT
Many businesses are unsure of their cyber security risks or are overconfident of their controls.
Surveys suggest that 87% of businesses feel ‘confident’ about cyber security - but when you compare that to the rate of attack, around at least 58% of businesses hit with an attack or data breach also rated themselves as ‘confident’.
Writing a cyber security assessment report helps businesses beat complacency. By identifying and understanding risks, businesses can take back control of their cyber security and focus their investment on where it has the most impact.
Nicolson Bray offers comprehensive cyber security assessment solutions with cyber security architecture implementation and technical delivery. Contact us today to discover how we can help your business proactively manage and eliminate cybersecurity threats.
Bob Nicolson | Head of Consultancy