20 Questions For Preparing An IT Risk Assessment

risk-assessment-managementMany small businesses are being dragged into the arena of IT risk assessment by larger client companies, suppliers, or regulators.  Common scenarios include credit card (PCI) or HIPAA compliance.  Since the Target breach, smaller vendors and supplier companies who have a network connection into the IT operations of a larger company are being required to undergo the same sort of vulnerability and risk assessment procedures that have been common in enterprise companies for many years.

How to undertake this process is generally an unknown territory for the management of many small companies.  If your company is a candidate for this sort of assessment, here are twenty questions that will help you get started.

  • What makes our company an attractive target for cyber-criminals?  Trust me, something you do or have makes you a valuable target, even if it is just your bank balance, so don’t skip over this one.
  • Do we hold personally identifying information (PII) for our customers, clients, or employees?
  • What are our most valuable electronic assets and intellectual property that could be compromised?
  • Do we have a computer incident response plan (CIRP)?
  • Where is the data stored?  Locally on a server, at a collocation site, or in the cloud?
  • Are we collecting data we don’t really need?
  • Are we retaining data we really no longer need?
  • Do we have data reduction and destruction policies and procedures?
  • Is the data encrypted?
  • Can this data be easily accessed by employees and exfiltrated on a flash drive?
  • What will be the impact if the breach is made public?
  • What if the data is held for ransom?
  • What if the data is destroyed?
  • Do we have backups?  Has anyone ever tried to restore the backups?
  • What regulatory or legal liability do we have if the data is stolen?
  • Are we prepared for lawsuits or regulatory enforcement?
  • How would we deal with media exposure that was the result of a breach?
  • Do we have cyber-insurance coverage? Do we really understand what is covered and what is excluded?
  • Are we using information technology and cybersecurity best practices?
  • Are we using a cybersecurity framework such as NIST-CSF?

My recommendation for small business owners is to find a cybersecurity partner to work through this process with your management team.  Many of the name brand cybersecurity companies are too large and too expensive for most small businesses. The good news is that there are many more security firms now that are scaled to support smaller business entities, and they are easier to find.  I’ve seen a trend among mid-tier IT support companies; many are adding cybersecurity departments either organically or through acquisition.  So if you are working with a tech support vendor, check with them first.  And if not, you may be able to get a referral from a business peer or partner.  Either way, you should get started now.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.