How to Improve Your Security Risk Assessment Process in 4 Steps

Information Security Analyst at AvitoIn this article, I share my experience and personal impressions about building the process of assessing and managing information security risks at Avito.

This is not about methodology, but about how we build a process from an initiative. I will tell you what we needed to launch and support the risk assessment process, what is the benefit of risk assessment for us, and what methods there are to keep up with trends.

Spoiler: the case is interesting and unique in its own way, at the same time it is in the style of the latest trends in information security. Our experience will be useful not only for information security analysts, risk managers and security managers, but also for all those interested in the topic of risk assessment.

Initiative becomes a process when the value and outcome are clear.

A small digression regarding the rapidly changing trends in information security in recent years. We have all read about the transition from paper security to practical security. The new trend is the transition from practical information security to effective information security. The first differs from the second in goal-setting, which comes from management.

Another trend is the shift from complex risks to unacceptable events. This article will not discuss unacceptable events in the usual sense, but we have partially reassembled the concept of unacceptable events in our own way.

So, for ourselves, we have defined the value in everyone seeing the overall risks, the tendency to reduce them, and being ready to commit to work on them. Management should commit first and foremost, determining, based on the results of our assessments, what is truly unacceptable for them.

To bring this to management, we must have:

  • high percentage of coverage of our resources by the process;

  • risks and understanding how we can reduce them.

  • and most importantly, explain these things in a language that management can understand.

First turn. Initiative.

Companies still often begin to address security risks when:

  • obligations to regulators (as in banks);

  • requirements of the standards that the company meets. Both options lead to a very formal and somewhat bureaucratic approach. Unless…

…unless we are talking about a company with a certain level of maturity. But more on that later.

The Avito IB team's path to assessing security risks is unique, at least in my experience. The uniqueness is that risk assessment as a separate process was the product security team's own initiative.

Imagine that the IS and product teams have already established fairly mature processes within the Secure SDLC, there are audits, pentests. The product development teams perform threat modeling exercises, there is a fairly conscious Security Champions community, bug bounty, involvement in risk assessment at the start of new projects/initiatives – and so on, so forth. Here is practical security “the classic way”! And IS comes with a new initiative: in addition to all existing activities, it was decided to regularly assess risks.

The initiative has proven beneficial for everyone: product teams can understand potential problems in overall security and improve their level of maturity in the TMM (Team Maturity Model, self-assessment of team maturity based on various criteria). The security team receives a transparent picture of risks and has the ability to detect and solve systemic problems.

To get started, we only needed a few ingredients:

  • willingness of information security experts to invest their time and meet with teams for joint brainstorming;

  • the willingness of the development teams themselves to understand and accept;

  • simple and intuitive method;

  • An Excel spreadsheet beloved by risk managers that lists the resulting risks.

We conducted the first assessments, planned the tasks, and those who were especially responsible took them into work.

What's next? And then we need to somehow support the viability of the initiative. And roll it out to everyone, because we want to get a complete picture. To do this, we need to organize a risk assessment process in a constantly growing dynamic company with 300+ teams. And we need to ensure that the risk picture does not become outdated. That is, the assessment results need to be refreshed from time to time. The resources are still the same.

A little about how risk assessments take place at this stage.

To find and first assess risks for the team, the information security expert meets with someone from the development team (usually the team lead and security champion, or just someone from the developers with an understanding of the team's processes). As a “homework assignment”, the team itself makes a list of what they have, what data it is associated with. The next step is questions about what bad things can happen with this information:

  • What happens if data leaks where it shouldn't?

  • What happens if someone changes the information in a way that was not originally intended?

  • What happens if the asset/data in the asset is deleted or unavailable?

Some teams may be able to immediately identify potential bottlenecks in their processes, especially if they have already done threat modeling.

At a meeting with the team, the expert checks the “homework” or does it together with colleagues. Then he dives deeper into possible scenarios of leaks, unauthorized changes and access, inaccessibility. He does this based on the specifics of the process or system. The task is to determine the significance of already highlighted bottlenecks and find what could have fallen out of sight. A checklist with questions also helps us look at systems and processes from different angles.

Second round. Establishing the process.

It is important to understand that the transition from initiative to process implementation (i.e., recognition of value) is impossible without three important components:

  • company maturity;

  • management maturity;

  • availability of resources.

Any other necessary components at this stage are rather consequences of this list.

Here it becomes obvious to us that the tasks set cannot be solved with current forces and the omnipresent Excel. Then we go further: we implement a system of the SGRC class. We choose from popular solutions available on the market – we adapt them to our case and process.

Having passed fire, water and copper pipes, implementation process, we can manage risks and scale the process through automation.

Namely:

  • create risks and tasks for them, share with product teams;

  • monitor risks with expired statute of limitations;

  • find those who have not yet been assessed in time;

  • collect fresh harvest the results of the assessments, demonstrate it to all stakeholders and highlight the pain points.

Working with risks became easier, the risk register began to fill up rapidly. At this stage, we have a register with hundreds of risks and transparency at the lower level (for product teams).

The new approach to risk assessment is now unlocked!

As I wrote above, the initial parameters of the task are the need for regular risk assessment in 300+ teams and a limited number of information security resources.

After completing the second stage of process development, we open the possibility of choosing a method for re-assessing risks. The first method (as we remember) is a meeting with an expert and brainstorming. Teams have access to all artifacts of the first assessments. Based on this, they can answer questions about what has changed since the last assessment and how much. In case of minor changes, we perform risk assessment asynchronously.

Third turn. Automation.

At the third stage, we focus on several areas at once:

  • moving towards automation. We collect all the assets and risk factors that can be collected without human involvement. Factors can be — personal data, business critical processes, APIs that send data out, and other similar things;

  • emphasis on the autonomy of product teams. In the target picture, they can independently monitor risks and even identify them, being immersed in the context and understanding of their business processes;

  • metrics and metrics. For example, it is important for us to know: how relevant our risks are at any given time, whether tasks are being closed, what coverage our services have with the risk assessment process, and so on.

    There is a process. What next?

    The icing on the cake of the entire risk assessment process is risk committees.

The idea is simple – we regularly bring the management a picture of risks and tasks for their reduction. We receive commitments or objections that the existence of some risks is acceptable and acceptable, and sometimes the only correct thing. Priority tasks, initiatives, directions and goals appear. This is the movement towards effective cybersecurity.

We are still in the process of building a work scheme, now it is the third stage. But the benefit from what has already been done is there and it is tangible. At the same time, it is possible that in the future we will transform the process and methodology itself.

Thank you for taking the time to read this article! I will be happy to answer questions in the comments.where you can also share stories from personal experience about building information security processes and the difficulties that arose.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *