You can also take this opportunity to discuss within your organisation how many resources you would have to use to fix these issues if they were to occur. Our IT risk assessment template gives you the opportunity to fill in the time and monetary consequences, so you can consider the full impact of different IT security risks.
When we talk about assets in this context, we mostly mean assets related to your organisation’s IT. This can include hardware, such as laptops and mobile devices that your staff use. You might want to consider implementing a device management system, if you do not already have one in place, in order to keep track of your organisations mobile devices.
Additionally, assets can include the IT services provided by your organisation, such as internal communication systems (e.g., Microsoft Teams of Slack) or customer-facing services like the company webpage. Other than IT assets, we include staff as an asset, as employees have a lot of influence over the state of your information security and can be the biggest defence when it comes to IT-security, which is why it is important that they are aware of the security risks and have received awareness training for complying with the GDPR. We discuss this further in our free e-book on IT security defence if you want to read more.
Finally, if you use IT asset management, then it is very easy to use that document as a reference. You don’t have to list all of your company’s assets, but you can choose the most important or commonly used ones to start with.
Although self-explanatory, this column can be very useful for defining what you mean when you list different assets. For example, when we list staff as an asset, we can define it as both full-time and part-time employees. You can also define who is not included, for example, consultants, who act as external advisors to the organisation but are not officially part of the organisation.
Defining which department is responsible for each asset is advantageous because it prepares the company to respond when an issue must be fixed. Maybe instead of an entire department, it’s the Data Protection Officer who is responsible. Laying out responsibility is useful for a few reasons.
First, it can give you a better understanding or a refresher of each department or sub department's responsibilities. Second, clearly defined responsibilities can help the organisation react faster when there is a security risk.
However, we don’t recommend spending too much time on this column, as responsibilities can easily overlap between departments and change over time. We recommend getting a general understanding and being flexible when it’s time to fix the issue.
Step 3 - List threats and vulnerabilities
A threat describes any potential damage to an asset, which could affect the organisation. If there have been any security breaches or incidents in the past, you can list them in this column. For example, ransomware and malware or unauthorised access to confidential data could be considered threats.
For instance, the threat of ransomware often occurs through websites, for this reason you should make sure all staff members knows how to brows safely while at work. They may unsuspectedly stumble upon a fake website and accidentally install ransomware, therefore locking access to the organisation’s files and their computer until they pay the cybercriminals. Next, we discuss vulnerabilities that coincide with these threats.
Vulnerabilities can be described as the reasons for why threats occur. When it comes to ransomware, vulnerability might occur from staff members unsuspectedly stumbling upon a fake website and accidentally installing ransomware.
While vulnerabilities can also occur through unauthorised access to confidential data. In this case the vulnerability could be somebody forgetting to close the browsing window after a video call, and accidentally showing a customer their internal communications. Knowing how to prevent data breaches through video calls is therefore an easy step to decrease vulnerability. One of the most common security breaches happen due to people sending emails containing personal data to the wrong person.
The purpose of this section is not to place blame, but rather to think of potential security risks and the reasons why they might occur.
By understanding how the threats occur, we can:
a) Understand how big the threat is
b) Predict the probability of the threat happening
c) Think of ways to proactively avoid threats