Small and medium-sized business (SMB) owners are often told that it is only a matter of time before their IT infrastructure will be compromised. To minimize the fallout from a data breach, SMB owners should begin an IT risk assessment program. Business owners understand the need, but tight budgets and confusion over the best program to use can hinder the process.

This article will focus on the recommendations of IT consultants who provide IT risk assessment services, and it will outline the process of how SMBs can create one to protect their organizations.

Matthew J. Harmon, co-owner of IT Risk Limited, said, “You know, there is no such thing as security. True security is unobtainable.” Harmon said security is neither black nor white, just shades of gray. However, because of that, security should be viewed in terms of risk not absolutes.

Harmon explained the difference between an audit and assessment. “An audit is a ‘check the box’ assessment comparing actual company practices with what company policies say the company should be doing. An assessment does not focus on whether a business is abiding by company policies or not. An assessment benchmarks how a business compares to what are considered best practices in the industry.”

Harmon defined industry best practices and said, “Best practices may include regulations such as HIPAA for patient records, PCI-DSS for card processing, or NERC for electrical infrastructure. All of which are applicable to a risk assessment, must not be ignored, and may be one of the focused assessments done after the initial enterprise-wide assessment.”

It’s important to clarify the definitions because in most cases, especially companies without IT departments, having an IT risk assessment in place first will simplify the creation of a company security policy — an important document allowing companies to track and rectify harmful (security-wise) deviations. Harmon said that accounting for IT risk is a necessary cost of doing business.

Some SMB owners might not agree with Harmon. He said it’s essential for SMBs to become familiar with the HIPAA Omnibus Rule that came out last year. Even if a company isn’t in the healthcare field nor deals with Electronic Healthcare Records, it is still relevant. “Does your HR department keep records of employees who miss work due to sickness or from being hurt on the job? If so there is reason to believe that kind of information is now protected under HIPAA, something many business owners do not realize,” Harmon said.

Effect of HIPAA Omnibus Rule

Other subject-matter experts are concerned as well. The HIPAA Omnibus Rule has enlarged the scope of what is considered protected information regarding an employee’s health. Below are some of the stipulations business associates are liable according to a HiTech Answers article:

● Impermissible uses and disclosures.

● Failure to provide breach notification to the covered entity.

● Failure to provide access to a copy of electronic protected health information to either the covered entity, the individual, or the individual’s designee.

● Failure to provide an accounting of disclosures.

Harmon also mentioned a slew of additional regulations that affect businesses regardless of their size. Harmon said, “There is no ignorance in the eyes of the law.”

It may be an added expense, but contracting with consultants such as Harmon who make it their business to keep up-to-date on regulations and best practices regarding IT might, in the end, save money and conceivably the business.

The next step

Lenny Zeltser, another veteran information security professional who deals with risk management, is well known in the industry for his “knowledge cheat sheets.” Zeltser has one he calls Information Security Assessment RFP Cheat Sheet. It is a novel way for companies to start an IT risk assessment program. Zeltser said, “This cheat sheet offers tips for planning, issuing, and reviewing Request for Proposal (RFP) documents for information-security assessments.” Zeltser’s tips (paraphrased) below should be useful for those interested in getting an IT risk assessment, whether the company decides to use a formal RFP process or not:

First, the planning stage:

● Understand what’s driving the company’s need for the assessment so you can be specific when deciding on a consultant.

● Create an initial list of what should be included in the assessment.

● Identify the individuals who should take part in the selection process.

● Understand and confirm which employees are required to assist in the assessment.

In-house support for those who are conducting the assessment:

● Decide on a realistic timeline for the selection process including review of the candidates.

● Confirm the budget for the assessment, accounting for your needs.

● Clarify with the candidates how their responses should be submitted (email, fax, paper mail, etc.) and who receives them.

● Request itemized pricing from the candidates, to simplify comparing proposed services and costs.

What is to be included in the assessment:

● What business and IT objectives, including compliance requirements, should the assessment support?

● What milestones (dates for starting, ending, performing testing, etc.) are required?

● What reports and other deliverables are part of the assessment package? (For reports, outline desired table of contents.)

● Consider requiring a non-disclosure agreement if candidates want sensitive information for preparing a response.

Considerations when sending out bids:

● Consider finding potential candidates by researching speakers and authors who’ve demonstrated assessment expertise in IT.

● To meet promising candidates, take part in security events (SANS, InfraGard, ISSA, OWASP, (ISC)).

● Ask that candidates respond by a specific date.

Choosing the best vendor:

● Check out the expertise of the individuals the vendor will assign to your assessment.

● Confirm the availability of the assessment team and that the schedule meets with your approval.

● Inquire about client references, preferably in the same industry as the company.

What should be discussed with potential candidates:

● Details about the organization: workforce size, and location details.

● Assessment requirements: Discuss assessment objectives, scope, your infrastructure details, etc.

● Terms and conditions: Include documents provided by your organization’s legal and procurement teams.

Choosing the correct assessment vendor

Now that the company has several bids, what is the best way to choose the perfect candidate? Kevin Beaver in his TechTarget paper, Best practices for choosing an outside IT auditor, offered advice on how to select an IT auditor, which in this case would be just as relevant for an IT risk assessment team member:

Do not dismiss candidates because of non-technical backgrounds: Up until recently, audits and assessments were in the realm of businesses — meaning there is a chance the candidate may have a business background rather than one in IT. Thus leading one to assume the candidate would be unable to assess the company’s IT risk. More often than not, candidates will have enough expertise in multiple areas.

Certifications count

There will always be debate on the value of certifications. Some certifications are more significant than others. Consider consultants with these certifications:

● Global Information Assurance Certification (GIAC):

● Security Essentials Certification

● Incident Handler

● Intrusion Analyst

● (ISC)2 Certified Information Systems Security Professional

● ISACA Certified Information Systems Auditor


Experience counts

Harmon and Zeltser agreed with Beaver and said the two most important considerations when evaluating a candidate’s experience are:

● Did the candidates ask relevant questions?

● Were the candidates listening more than talking?

Another important consideration is looking at what the candidates have done, in particular if the candidates have participated in IT risk assessments of companies in the same industry. Another good indication is if the candidates are busy, performing several major assessments a year.

Beaver said that when checking references, call the person instead of using email. Beaver said, “I’ve found that people tend to be more frank when talking live, but are typically nervous about how email comments may be used against them.”

Strong communications skills

The ability to communicate clearly and use language particular to the type of business is necessary. IT risk assessments create stress, and dredge up issues that employees tend to take personally. An alert assessment team will recognize when this happens and respond, in a way, that avoids assigning personal fault and focus on solutions for the problem.

Don’t assume a brand name is always better: In many cases, accounting firms that provide companies with financial audits/assessment also offer IT risk assessment programs. There may be some value in staying with the same firm, but Beaver said less emphasis should be placed on getting a brand-name seal of approval and more emphasis on creating a quality assessment program. Mixing up IT risk assessment vendors might be a good idea. Doing so creates a global perspective rather than a single viewpoint of the company’s risk.

Beaver also seconded Zeltser’s concern to be aware that people who attend the pre-sales meeting are not necessarily the same ones who will be doing the actual work.

Ask to see actual client IT risk assessment reports: This may seem obvious, but the IT managers and Beaver said it is important it is to see actual reports from each candidate. The reports will obviously need a certain amount of redacting, but it should allow those who will be using the report a chance to see whether they understand and like how the report presents information. Beaver also mentioned that if providing a sample is not possible, dismiss the candidate and if the sample report includes confidential information, dismiss the candidate.

After the initial assessment

With the IT risk assessment report in hand and changes suggested by the report made, a baseline has been created. Now any changes, going forward, can be judged as increased risk or reduced risk. The risk baseline has an added advantage. It measures the effectiveness of the assessment team. If problems were addressed but did not diminish over time, it says something about the team.

Moreover, knowing how the risk assessment team performed is important. It is a program and an ongoing process that should occur yearly or when there is a major change in IT policies or infrastructure.