One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1880731 |
| Date de publication | 2020-08-25 07:11:00 (vue: 2020-08-25 08:06:02) |
| Titre | Security risk assessments explained |
| Texte | This blog was written by a third party author. What is a security risk assessment? A security risk assessment is a formal method for evaluating an organization's cybersecurity risk posture. Comprehensive security risk assessments take stock in business objectives, existing security controls, and the risk environment in which the business operates. When done well, the assessment identifies security gaps in existing controls as compared with industry best practices. Assessments then prioritize opportunities to close the gaps based on the significance of the cyber risk to which they expose the business. Security risk assessments provide a foundational starting point and an ongoing yardstick for developing a risk-based cybersecurity program. Systematically documenting technical and process deficiencies and scoring them by the potential to materially impact ongoing business missions lays the groundwork for: Holding meaningful discussions with executives on the business implications of security risk Providing the waypoints for disciplined investment in new security measures Measuring reduction of risk as improvements are made Proving compliance and ensuring investments meet regulatory standards No matter where an organization is on its journey toward security maturity, a risk assessment can prove invaluable in deciding where and when it needs most improvement. For more mature organizations the risk assessment process will focus less on discovering major controls gaps and more on finding subtler opportunities for continuously improving the program. An assessment of a mature program is likely to find misalignments with business goals, inefficiencies in processes or architecture, and places where protections could be taken to another level of effectiveness. The risk assessment process The time it takes to conduct a full security risk assessment varies by the organization's size and complexity. Risk assessments for smaller or less complex organizations may be completed in less than a week, while those for larger, more complex, or highly regulated organizations can take significantly longer. The process is typically kicked off by a discovery phase that will include exercises such as: Interviewing key business stakeholders to gain understanding of the core business goals that security is meant to support Conducting technical inventories and documenting data flows and standards to map existing IT architecture Collecting documentation and performing technical testing to review the security tools and controls currently in place within the architecture Initial information gathered during this discovery phase is then married up relevant regulatory requirements and a cyber risk management framework of choice to discover where controls gaps exists. A framework informs a security risk assessor by cataloging security best practices, providing industry benchmarks, and offering established methodologies for analyzing and scoring risk incurred by control gaps. Among the most popular frameworks guiding security risk assessment today is the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), which provides an end-to-end map of the activities and outcomes involved in the five core functions of cybersecurity risk management: identify, protect, detect, respond, and recover. Using CSF provides a way for assessors to score maturity based on existing controls and in the context of progress made by industry peers, offering maturity profiles for different types of organizations, with implementation tiers broken down and shifted based on the industry. After performing a risk analysis, the assessment is then organized into a report that offers full documentation of the business priorities supported, assets at risk, controls in place, existing vulnerabilities and controls gaps found across the organization. The repo |
| Envoyé | Oui |
| Condensat | across activities added addressed afforded after against among analysis analyzes analyzing another architecture are areas as: assessment assessments assessments assessments: assessor assessor assessors assets author balance based benchmarks best better between big blog broad broken brush business but can cataloging categories: choice chooses choosing clearly close collecting come compared completed complex complexity compliance components comprehensive conduct conducted conducting confused context continuously control controls conversations core cost could csf currently cyber cybersecurity data deciding decisions deficiencies describe described detect developing different difficult directors disciplined discover discovering discovery discussions documentation documenting done down during effectiveness end ensuring environment established estimates evaluate evaluating evaluations examine executives exercise exercises existing exists expertise explained expose faced factor factors fairtm fallout faster financial find finding first five flows focus for: formal formalized found foundational framework frameworks from full functions gain gaps gathered goals ground groundwork guide guiding heavy help high highly holding honestly house how however identifies identify impact implementation implications improvement improvements improving include incurred industry inefficiencies inform information informs initial institute interviewing invaluable inventories investment investments involved its journey key kicked kind larger lays lens less level levels lifting like likely longer low made major make management management: many map married materially matter mature maturity may meaningful meant measures measuring medium meet method methodologies middle misalignments missions modeling more most national necessary needs neutrality new nist not numerically objectives off offer offering offers often ongoing operates opportunities opportunity opt order organization organization's organizations organized oriented out outcomes party peers penetration performing perspective phase pick picture place places point popular posture potential potentially practices prefer priorities prioritize process process processes profiles program progress prolong protect protections prove provide provides providing proving qualitative quantification quantitative ratings recommendations recover red reduction regulated regulatory relevant report requirements respond review rigorous risk risks rough run scope score scores scoring security seeking seen semi shifted should shouldn't significance significantly size smaller some specific stakeholders standards starting stock strengths subjective subtler such summary support supported systematically take taken takes team technical technology testing tests than them then these third those through tiers time today tools toward trusted two types typically ultimately understand understanding unearths units uses using usually varies vulnerabilities vulnerability way waypoints weaknesses week well what when where which will within written yardstick |
| Tags | Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.