Being the target of a cybersecurity assessment can be frightening. Cybersecurity covers a broad set of domains and assessments can be conducted in a multitude of ways. So how do you ensure that you have taken adequate measures to prepare for an upcoming risk assessment? Let’s look at some best practices that will allow you to efficiently and effectively plan for, and participate in, a cybersecurity assessment.
Start With the Basics
There are some fundamental pieces of information that will affect nearly all of your preparation activities. Find the answers to the following questions so that you know where to begin.
Identify who is requesting and conducting the assessment
- Is the requestor internal to your organization or an external entity such as a customer, regulatory agency, potential acquiring firm, etc.? The answer to this question has many implications, including scheduling, logistics, communications, legal questions, etc.
- If the request is from an external source, do they have the right to audit your organization? This is typically documented in official contracts or other business agreements.
- Will a third party be engaged to conduct the assessment? If so, additional agreements may need to be put in place prior to commencing assessment activities.
Confirm the scope of the assessment
- Does the assessment focus on the effectiveness and maturity of your overall security program? If this is the case, you will likely need to identify a broad base of internal stakeholders who represent your entire organization.
- Is the risk assessment scoped to a particular service, product, or information system? In this scenario, your group of internal stakeholders will likely be much more focused and the depth of the assessment is likely to be quite significant.
- Is there a regulation, framework, or standard (e.g. ISO 27001/2, PCI-DSS, NIST 800-53, GDPR, etc.) that is the basis of the assessment? Many organizations will leverage an existing set of security controls or a standard questionnaire for their assessments. It is important to get your hands on this information as soon as possible, in order to be fully prepared before the assessment begins.
- Does the assessment concentrate on any particular themes? Some organizations are primarily concerned with privacy issues, while others focus on business resiliency, and still, others take an incredibly broad and holistic approach. You cannot assume that a “cybersecurity assessment” is going to target only deeply technical topics such as encryption algorithms. Don’t be surprised if you are asked about background check procedures, opt-in vs. opt-out privacy policies, or backup power supply capabilities.
Solidify an anticipated assessment schedule
- When will the risk assessment begin? Be comfortable pushing back against overly aggressive start dates. You are much more likely to provide meaningful and accurate information during an assessment if you have adequate time to prepare.
- Will there be a kickoff meeting or meetings? Often times the best way to ensure that expectations have been adequately set is to talk them through.
- What is the targeted completion date? Internal stakeholders (e.g. CIOs, CISOs, CTOs, Legal, etc.) are likely to be very interested in the results of the assessment, even if the assessment is being requested by an external entity. It will be important to set expectations with these internal personnel as early as possible.
- Will you be allowed to review the results of the assessment before they are finalized? Many assessments include a remediation period where the assessee can take immediate action to address identified risks. Understanding this in advance can be incredibly helpful for scheduling remediation-focused resources in advance.
Once you get these fundamentals down, you can plan accordingly and be ready to take action and start your assessment. It’ll make the whole road ahead of you much smoother, and you’ll be executing your assessment like a champ. Stay tuned to our blog for upcoming steps that will help you do just that – take action and execute seamlessly. In the meantime, see how you could complete one assessment and share it with all of your upstream partners.
DIRECTOR OF ASSESSMENT OPERATIONS