As we are thrown headlong into the holiday season, several things are inevitable: peppermint lattes, parking catastrophes at your local mall, and (if you’re a control owner, director, systems architect or just an unlucky IT analyst at a 12/31 business) year-end controls testing by your friendly neighborhood auditor. 'Tis the season for evidence gathering emails, process interviews, debates about how ineffective your process is, and about a million screenshots. Not to mention the annual argument about whether that finding is *really* high risk.
While auditors and IT staff alike try to do their best to make this as smooth a process as possible, as a former auditor I can attest (get it?) to the fact that this is not always the most painless experience. Here are three ways you can use the FAIR model to make a more pleasant auditing season.
1. Understand your business risk
Utilizing FAIR and RiskLens Cyber Risk Quantification (CRQ), you can run an enterprise- wide analysis that will allow you to understand the areas the present the largest risk in your organization (before your auditor tells you!).
An enterprise-wide analysis allows you to assess enterprise risk by analyzing multiple risks across different areas of the organization. By looking at multiple types of scenarios (Confidentiality, Integrity, and Availability) across a variety of assets, you can pinpoint which scenarios and assets present the greatest loss exposure to the organization and can begin assessing mitigation and risk acceptance alternatives. For example, you may analyze the aggregate risk associated with the following scenarios:
The risk associated with…
- A non-malicious privileged insider mis-addressing emails containing client PII, resulting in a confidentially loss
- A DDOS attack resulting in an extended outage of a crown jewel application
- Inappropriate change implemented into production as a result of improper change management procedures
- A cyber-criminal breaching a database containing PII
2. Evaluate Areas of Concern
After you have pinpointed your areas of concern (or if you already had specific areas in mind) you can conduct individual analyses to take a closer look into the specific loss event. Conducting a more narrow analysis allows you to utilize more precise data points and as such, gain greater understanding into the loss exposure associated with the event.
For example, you may conduct a quantitative risk analysis related to the risk associated with a cyber-criminal breaching a database containing PII. Utilizing a rigorous, defensible process to gather data, you can evaluate both the frequency and magnitude and ultimately, loss exposure associated with the event. In addition to providing additional clarity into this specific event, the analysis also provides a means of comparing various risks.
3. Consider mitigation alternatives
After conducting the in-depth analysis, as an organization you must decide if you will accept the risk or implement a mitigating control. If you determine the risk is too great to accept, then you must decide which potential control provides the greatest ROI. This is a process that can be done as you are assessing scenarios independently or following an audit finding.
In order to compare the ROI of different control investments, you first conduct the original analysis. After you have completed the analysis and are comfortable with the results, you can then version the analysis. By doing so, you are creating a carbon copy of the analysis that can then be updated to reflect changes in various parts of the model as a result of the control improvement.
In the case of the data breach scenario, one of the controls you may be considering is encryption at rest. Prior to updating the analysis, you would first consider which area(s) of the model would be impacted by the control improvement. Given that encryption at rest impacts the sensitivity of the information rather than the difficulty in accessing it, it would result in a reduction in the magnitude associated with the event.
After making the changes, you then rerun the analysis and can compare the results from the current and future state scenarios. From the comparison you can determine the change in loss exposure as a result of implementing encryption at rest, which can then be compared to the investment cost of the control.
By utilizing this method, you can evaluate the finding resolutions recommended and determine an agreeable solution for both you and your auditors.