Cyber Security Assessment Methodologies - Chosing the Best Methodology for Your Needs

Placed within the Identify function of the NIST Cybersecurity Framework is a category called Risk Assessment.  According to NIST, the goal of a risk assessment is for an organization to understand “the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.”  

As set out by NIST, conducting a risk assessment typically includes the following six steps: 1) Identify and Document Asset Vulnerabilities, 2) Identify and Document Internal and External Threats, 3) Acquire Threat and Vulnerability Information from External Sources, 3) Identify Potential Business Impacts and Likelihoods, 4) Determine Enterprise Risk by Reviewing Threats, Vulnerabilities, Likelihoods and Impacts, and 5) Identify and Prioritize Risk Responses

In the security industry, we refer to these steps as being proactive (as opposed to being reactive, a euphemism for incident response).  Best practices for conducting a risk assessment include, first and foremost, adequate preparation.  But what does that require?   In the world of risk assessments, preparation means setting out the ground rules, to include having a clear understanding of the assessment’s purpose and scope, assumptions and constraints, information sources, and whether a particular risk model or analytic approach is being used. Which cyber security assessment model is best suited for your business or government agency? Share your comments with the Cloud and Cyber Security Center.