Reacting to IT Audit Findings? Get Ahead of Them with Cyber Risk Quantification!

June 8, 2020  Taylor Maze

Summer has begun – the birds are chirping, the sun is shining, and the interim audit testing is beginning.

Soon the controls review and documentation requests will begin to roll in (as well as that familiar sense of dread) and you may find yourself bracing for what the audit results might be. If you’re sick of constantly being in reaction mode to IT audit findings, then quantitative risk analysis using the Factor Analysis of Information Risk (FAIR) model, operationalized by RiskLens, is the best solution for your organization. Using the RiskLens Software as a Service (SaaS) platform, organizations are able to quantify their loss exposure to various risk scenarios in financial terms – dollars and cents. In three easy steps, they are able to understand, analyze, and remediate IT risks  before they end up on an audit report.

1.  Define the Risk Scenario(s)

The first step to identify the scenario(s) you are interested in quantifying. A useful exercise to begin is to consider what IT related concerns are frequently voiced within the organization. Examples might be privilege management, password controls, patching/configuration management, etc. Once you have identified the concerns, you can begin scoping Loss Statements. A well-defined Loss Statement must contain the following components: asset, threat, effect, and optional method.

For example: the risk associated with a cyber criminal (threat) exploiting vulnerabilities caused by poor patch management (method) in order to exfiltrate PII from crown-jewel databases (asset) resulting in confidentiality loss (effect).

Learn more:  How to Scope A Risk Analysis Using FAIR




A RiskLens analysis of an audit finding comparing acceptable and unacceptable controls.

2. Quantify the Loss Exposure

After the Loss Statements have been defined, you can begin the data gathering and quantification process. This involves working with Subject Matter Experts (SMEs) within your organization to understand how often the Loss Event is likely to occur and how much loss the organization is expected to sustain each time that it does. Using the FAIR model, you are able to break down these questions into smaller pieces by working lower in the ontology ( see the FAIR ontology here).

Often a concern, such as “patch management” is made up of multiple risk scenarios. Using the Rapid Risk Assessment functionality of the RiskLens platform, you can quickly prioritize these concerns to determine which requires focus first. Additionally, you have the ability to aggregate the individual scenarios to understand your total risk from the given topic.

Worried about the amount of work required? Don’t fret - as a RiskLens customer, defining estimates for each of the components of the FAIR model will be more efficient and consistent than ever due to the robust data warehouses built into the platform. These data warehouses will be refined and customized for your organization during your onboarding to the RiskLens platform, ensuring you’re ready to hit the ground running on your first analysis.

For more information on data warehouses, see 3 Ways RiskLens Simplifies Quantitative Cyber Risk Analysis

3.  Evaluate Control Improvements

The purpose of the analysis is to understand the current state risk associated with the scenario. If the results of the analysis are cause for alarm and you determine mitigation is required, you can use the RiskLens platform to evaluate the impact of various control improvement options.

For example, in the Loss Statement above you may want to understand the impact of increasing the patching cadence on your risk of a cyber criminal exploiting vulnerabilities due to poor patch management and exfiltrating PII from crown-jewel databases. Given that increasing patching cadence would reduce how susceptible you are to these types of attacks, it would be modeled as a decrease to Vulnerability. You can then rerun the analysis with the update and evaluate its impact on your Loss Exposure and calculate the ROI of the control investment.

Learn more: How IT Auditors Evaluate the Effectiveness of Controls with Risk Quantification

If you’re ready to start acting and stop reacting to IT risks, talk to a RiskLens expert.