Risk Assessments vs. Security Assessments
We’ve already established the importance of assessments in a previous article: (Audits vs Assessments and Why They Aren’t The Same Thing). A recap of which is – assessments are used to help an entity mature.
We’ve also established that the role of a CISO is to focus on Risk to Information resources: (What is a Chief Information Security Officer). However, when it comes to assessments, not all are the same. Security Assessments, while being very closely related to Risk Assessments, cover different aspects of an organization’s people, processes, & technologies.
Risk can be summed up in a simple “algorithm” RISK = THREATS * VULNERABILITIES
Of course, likelihood, impact, and mitigations must be taken into account to truly paint the risk picture. A Risk Assessment can methodically help us determine what threats are legitimate and likely, what vulnerabilities those threats could exploit, the impact that a successful exploitation might have, and how the impact or likelihood is reduced by any mitigations we already have in place. This is all boiled down into the term “Residual Risk.”
So, risk assessments are somewhat generic in the fact that they do not delve into specific security requirements. Rather, risks focus on adversarial and non-adversarial threats (I.e. malicious actors vs. Environmental phenomenon). The results of a Risk Assessment are intended to be a list of Residual Risks (threats * vulnerabilities) and how likely and impactful they are to the organization’s mission.
The organization’s security policies should then have focuses added to assist the agency in mitigating its residual risk.
Security Assessments tend to be a little less nebulous than their Risk-focused counterpart. Security Assessments are based on organizational policy, regulatory requirements, or industry standards (side note: regulatory requirements and often industry standards should be written into security policy – so, in a perfect world, Securty Assessments are done against the organization’s own Security Policy). So, Security Assessments assess the organization’s implementation of Security policy, regulation, and standards in each system, at each system level, against each “People, Process, and Technology.”
So, Security Assessments are specific in the fact that they generate granular findings that give specific tasks to be completed to help close viable risks in sometimes small increments (managed through a plan of action and milestones process).
The results of Security Assessments and the efforts performed to mitigate findings should help close risks discovered in the Risk Assessment process.
What’s the difference?
Obviously, when we’re talking about Cyber Security, the two are very closely related. They are not necessarily inclusive of each other as they can both be performed without the other, but certainly not exclusive. In a perfect world, Risk Assessments drive policy which drive Security Assessments which inform Risk Assessments which drive policy… and the cycle goes on and on.
Risk Assessments are more generic & tend to be focused on Adversarial and Non-adversarial threats.
Security Assessments are specific to security requirements and focus on how and whether or not the requirements are implemented.
Risk Assessments and Security Assessments are 100% necessary in an organization that uses information or technology in its day to day business. If the business can’t survive without the information or technology, then these assessments can reveal points of weakness or threat, allowing the organization to mitigate before the risks become realized.