Management, compliance & auditing

Anatomy of a Risk Assessment

February 14, 2013 by Jesse Valentin

To an organization that is serious about security and wants to identify the most efficient way to invest in security solutions, a risk assessment is absolutely necessary. This is because a properly executed assessment is sort of like a physical exam for the enterprise. It gives you a baseline understanding of your current “health posture” and shows where you need to concentrate your efforts to improve that posture.

Another great aspect of an assessment is that the findings you uncover can be revisited repeatedly until they are completely addressed. This provides you with a historical view of your organization’s security posture and can highlight the progress of your hard work to resolve any problems. This article will discuss a simple way to go about organizing your efforts, how to structure your assessment and identify the areas that need the most attention. So, what’s the first step in conducting a Risk Assessment?


Like all great undertakings, you have to know in advance what you’re trying to do! The first question you need to ask yourself is: What am I trying to accomplish? The goal can be many different things for different organizations – perhaps you need to comply with a government mandated policy or standard and you need to find out how well your organization is doing thus far… Another possibility is that you’re worried about security but not quite sure where to start or how to identify what’s really important? Once you’ve identified your goal, the next step is to…


This step is also very important to the risk assessment as it creates the motivation for any adopted security solutions. Having this information allows you to understand the context in which you’ll be working. For example, when we think of security in banks – what image comes to mind? For me, I immediately think of a vault, an armed security guard, reinforced doors, etc. What’s the point of all this security? The answer is simple – the bank is trying to prevent people from stealing or hurting their assets. In this case the “assets” are their client’s money, the bank’s reputation, their employees and their clients to name a few. When the risk assessment is executed in this environment, the context will always be the protection of these particular assets. This will allow the Information Security professional to have the correct viewpoint when analyzing the security posture of the organization. This knowledge will also allow the security practitioner to identify threats that may not be immediately obvious but present a threat to the organization’s assets which could be tangible (products) or intangible (services).


Once the assets have been identified, the next step is to understand the value the organization places on these assets. In simple terms, what value does your organization place on its reputation? What value is placed on its individual client services? Does it sell products – how valuable are these products to the organization?

In the case of most risk assessments, the determination of this value is “estimated” or it is simply understood that the asset is very valuable to the organization.This estimation is called a “qualitative” determination of value. Basically what this means is that the practitioner is aware that a particular asset is valuable but does not have an exact monetary amount for the asset in question. Based on this knowledge, the assessor would create a ranking system for the identified threats in the final report with a description and a probability ordering that would estimate the likelihood that the threat would be exploited. We will discuss this in detail in the following sections. So, for right now we will proceed with the understanding that the assets are “very valuable.” Now that you have this information, the next step is to…


After identifying the goal, the asset and the value – you need to thoroughly understand the type of business you are assessing. Some pertinent questions may be – In which industry does the organization do business? What type of organization is it – Financial, Healthcare, Non-Profit, Government? Once the type of business is identified, you need to dissect that business into its core components or departments. What does this mean? For example, if you are assessing a Healthcare organization then some core components may be areas like Patient Billing, Laboratory Services, Administration, Medical Records, Human Resources, etc.

A suggestion to gathering a detailed list of core departments would be to either interview an administrative contact that can help you with this discovery or request a company org chart. This can be very useful in showing the core departments along with their respective heads, assistants and subordinates and you can review it at your leisure. At this point you should start to document the structure of the organization and begin to assign an estimated priority to each discovered area.As a security practitioner you will need to begin organizing a schedule to interview department heads and technical contacts for each department to further break down their respective areas to their daily functions. The reason is that you want to understand in detail what each department does, which systems they interact with, the applications they use and how they come into contact with the organization’s valuable assets in their daily work.

For example, during these interviews you may come to learn that a department like Human Resources collects large portions of sensitive personal information from employees and may use third-party services that process some of this information. Some of these services may include background checks, credit checks, etc. Some possible questions you may need to ask during that interview include – How is this information transmitted to the third party? Does the third party establish connections to our organization? Are these connections encrypted?, etc.- In this way, your findings will start to take shape and potential hazards will start to come into view..

At this point, you should also start to record an inventory of the different technical systems and applications that are in use by each department along with their respective business owners and technical custodians. These people will have to be interviewed as well for a detailed understanding of each system in use.

Before all of these interviews are conducted, the practitioner should have or create a set of checklists and questionnaires that will assist them in asking appropriate questions to get the most accurate view of how each department is interacting with sensitive information and that defines their business practices. Using pre-built questionnaires helps a great deal to ensure the consistency of your assessment, saves time and ensures that no key areas are overlooked. We will discuss how to go about creating these questionnaires in the following sections.


At this point in your preparation, understanding the goal of your assessment and the business type becomes very helpful as you will now have to decide on the approach or structure of your assessment. To illustrate – when you visit the mechanic for an inspection of your car, the mechanic uses a structure that might be called a 70 point inspection. This means that the mechanic will check certain “points” like your tires, fluid levels, emission controls, etc. Using this structure, the mechanic can consistently assess the entire car without missing any key areas. The benefit to this is that ANY car can be reviewed the same way regardless of the make and model since all automobiles are composed of the same basic “points”. This takes the complexity out of analyzing an entire car and breaks it down into organized, manageable parts.

How do we apply this to a Risk Assessment? One suggestion would be to use the ISO/IEC 27002 – Code of Practice for Information Security Management. This is a standard that was developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and as such it encompasses the key areas or key “points” that should be included in a Risk Assessment. Since this is an international standard that was adopted on the national level, the use of this approach ensures the consistency of your assessment regardless of the environment being reviewed.

Just a few of the key “points” included in this standard are the following:

    • Information Security Policy
    • Internal Organization
    • External Parties
    • Responsibility for assets
    • Information Classification
    • Prior to employment
    • During employment
    • Termination of employment
    • Physical Security Perimeter
    • Physical Entry Controls
    • Operational procedures and responsibilities
    • Third party service delivery management
    • Backup
    • Media Handling

In this example, I highlighted 6 of the major points that are identified by this standard. There are a total of 15 major points in this standard that encompass all the major areas that would be relevant to security. Each of these major points has several sub-points, so as can be determined, the standard is very robust and allows a very thorough assessment of an environment.To be sure not to miss anything vital during your interviews – this would be an excellent time to start developing your questionnaires and a checklist of documents you would need from your client so you can complete the assessment.

For example, with regard to the first two headings “Security Policy” and “Organization of Information Security” you may start a checklist of required documents such as:

  • Previous audit reports
  • Information Security Policy
  • Approved use of company assets policy
  • Business Continuity processes
  • Process for reporting security incidents

It will be necessary to thoroughly review documents like thesebefore you start your assessment to have an idea of how the organization’s policies and procedures address each of their respective areas. The severity of your findings will be directly related to how the organization has approached its policies and what it allows to occur on a daily basis. This same thought process must be applied to the remaining 13 sections of the standard so that your checklist will be sure to include all the right documentation.

After you’ve thought about the types of documents you need to see – it will be helpful to know what to ask during the interviews. At this point, you will need to go through all 15 areas and sub-areas and start to craft questions that get to the root of what you need to know. The following is a very small example of questions you can create to address each section of your chosen structure.

Is there an Information Security Policy?
How is the Information Security Policy reviewed?
Are there set intervals to ensure periodic reviews?
What are they?
Who is the Information Security policy owner?
Is the policy disseminated to the user population?
Is there a management structure to manage and champion Information Security in the organization?
Is there a CISO?
What is the reporting structure of individuals responsible for security?
Are there specific Information Security goals defined for the organization?
Is there a department/owner responsible for tracking assets?
Who are they?
How are assets tracked?

After these steps are complete you can now…


This is where all the prep work spent identifying different departments that make up your organization will come in handy as you will now start to apply the points to these departments to see how they measure up. So for example, here is an idea of how you can go about the assessment – using the previous example of a Healthcare organization, our department and system inventory may look like this:

  • Patient Billing
    • System 1
    • System 2
    • Procedures
  • Laboratory Services
    • System 1
    • System 2
    • Procedures
  • Human Resources
    • System 1
    • System 2
    • Procedures
  • Administration
    • System 1
    • System 2
    • Procedures
  • Medical Records
    • System 1
    • System 2
    • Procedures

Using your questionnaires, you will need to speak with the custodian of each system to determine how their specific business practices measure up to the different sections of the assessment standard. As you compile all the data, certain weaknesses may start to come to light. The practitioner will then start to build a report to document their findings on each assessed system. To prioritize the weaknesses and sum them up in a manageable way, the next step is necessary…


This is a ranking of the severity of each identified weakness. These weaknesses can be rated from Low to Very High.To arrive at a reasonable estimation of risk, the practitioner considers variables such as the following:

    • The severity of the threat (usually ascertained by external write-ups and ratings)
    • Impact to the business if successfully exploited,impact if business system became unavailable or if sensitive information became compromised
    • Adopted or current methods in place to mitigate the threat
    • Considering all of the above factors and the knowledge that has been gleaned throughout the assessment, the practitioner assigns an estimation of risk to the system

Example of a Risk Rating Table






Critical System #1


Very High



Critical System #2





Critical System #3





Critical System #4

Very High

Very High


Very High

A table such as the one shown above should be created in the final report to outline all assessed systems and their current security posture. This creates a high level dashboard that management can refer to in order to determine which systems need to be addressed first.The final risk assessment report is a very valuable resource since the organization can now focus on high priority areas and start to calculate necessary security safeguards as well as how much of an investment is appropriate based on the severity of the finding. This brings us to our last section…


Without a doubt, you will have a tremendous amount of data to organize into a format that is readable and follows your chosen structure. A suggestion to building your report is to use the headings from your chosen structure and then start to outline the results of each section from each related department – here is an example:

    • Information Security Policy
      • Description of security posture
      • Risk Level
    • Approved usage of company assets
      • Description of security posture
      • Risk Level
    • Business Continuity Processes
      • Description of security posture
      • Risk Level
    • Security Awareness Training procedures
      • Description of security posture
      • Risk Level
    • Management Commitment to security
      • Description of security posture
      • Risk Level
    • Information Security coordination
      • Description of security posture
      • Risk Level

Using a format similar to this structure you can outline all of your discovered findings in a very coherent and organized manner. This report should then be kept on hand and updated on a periodic basis. Using a risk assessment, an organization can track its risk and give attention to the most important areas thereby improving its security posture!


Posted: February 14, 2013
Jesse Valentin
View Profile

Jesse Valentin is a security professional with 18 years experience in Information Security. During this time he has worked for various financial firms, security consulting companies and non-profit organizations where he has specialized in areas of Enterprise Risk Assessments, Compliance Readiness, IT General Controls Audits, development of Incident Response plans, Corporate Information Security Programs, Security Awareness Training and Secure Application Architecture.