In every exit meeting we explain our take on how we rate risks that are specific to each audit assessment we review. Here is an quick overview of how we go about assigning the risk ratings.
First, we assign each assessment a Threat level risk rating and a Safeguard level risk rating.
Threat: The potential exposure if there were no safeguards or mitigation in place. For example, Perimeter Logical Security is a HIGH threat because we assume there are no firewalls or network segregation in place. For another example, policies are a MEDIUM threat because inaccurate policies wouldn’t expose information and is less risky than actual controls.
Safeguard: Safeguards are controls/policies/procedures in place to reduce risks or mitigate risks all together. Safeguards are anything that may reduce exposure.
Once these have been assigned, an associated OVERALL risk rating is determined. We come up with the overall risk rating like this:
Threat – Safeguard = Overall Risk
This may be presented in many different manners, however mainly comes down to semantics. It is sometimes presented as
Perceived Risk – Mitigations = Residual Risk
or
Exposure X Vulnerability – Controls = Risk
To understand the results better, here are the Garland Group definitions we use to determine each OVERALL Risk Rating:
HIGH: Easily exploitable risks that could result in exposed customer or sensitive information. Examples of this high risk rating include unencrypted laptops or mobile devices that do not require authentication.
MEDIUM/HIGH: These items are less likely to expose customer information, usually because some mitigating safeguard is in place, however not a strong enough control. Common Medium/High risk ratings include weak password or authentication requirements.
MEDIUM: Medium items may expose information with some effort, however may also be procedure or policy in nature. Policies not aligning with what is actually in place in the environment, or policy adoptions usually result in Medium risks.
LOW/MEDIUM: Recommendations that have to deal with compliance or tweaking procedures or logs are Low/Medium in nature. Examples of Low/Medium risks include disclaimers in the website or dated procedures.
LOW: Low risk items are not recommendations because the Safeguard is appropriate and outweighs the threat. Most items in our risk assessments receive this risk rating.
Our goal is to help you get to a place where you are comfortable with your risk levels, which is different for each institution. We want to present perceived risks to our clients so you can make the decision on what safeguards need to be enhanced and why.