Skip to main content

«  View All Posts

Security | Consulting

Cybersecurity Risk Assessments and Third Party Audits: What You Need to Know

March 8th, 2022 | 15 min. read

Cybersecurity Risk Assessments and Third Party Audits: What You Need to Know

Print/Save as PDF

Every cybersecurity program will have vulnerabilities. This can be especially scary for companies with an Employee Stock Ownership Program (ESOP).  

You want to keep your employee-owners and their assets safe, but how do you know that your cybersecurity program is doing enough?  

The Department of Labor’s cybersecurity best practices for fiduciaries recommends that your company’s cybersecurity program has a risk assessment program and undergoes a third party assessment.  

So, where do you start? 

How to Identify Vulnerabilities in Your Cybersecurity Program 

Before we start discussing how to conduct a risk assessment and receiving a third party audit, it’s important to note that they are two separate entities. Let’s break them down. 

What is a Prudent, Annual Risk Assessment? 

According to the Department of Labor’s ESOP best practices, a risk assessment is an effort to identify, estimate, and prioritize information system risks. Risk assessments are done internally and are focused on understanding and categorizing your company’s cybersecurity risks. There aren’t one-size-fits-all standards for every company to follow.  

For example, a creative consulting startup with five employees will need to look at different cybersecurity risks than a 500-employee engineering firm.  

What is a Third Party Assessment? 

On the other end of the spectrum is a third party assessment. A third party assessment is having an outside group assess your cybersecurity practices and score the strength of your program.  

While a third party audit finds any gaps in your program, it doesn’t relieve you of the responsibility to manage the risks they find yourself. Third party audits assist you in understanding and categorizing which systems are at a higher risk of being breached.  

How to Conduct an Annual Cybersecurity Risk Assessment (3 Steps) guide-star_risk_assessment-1

A risk assessment consists of three parts: 

  1. Business Impact Analysis (BIA)
  2. Confidentiality, Integrity, Availability (CIA) Study
  3. Privacy Impact Analysis (PIA) 

Your risk assessment will not only show you the parts of your business that are at risk, but also the impact a cybersecurity event may have. The impact (and understanding it) is just as important as finding the risk itself.  

1. Business Impact Analysis (BIA)

The first step in the prudent, annual risk assessment process is completing a Business Impact Analysis (BIA). 

To start, begin cataloging your critical processes and systems. Next, determine the value of those systems to your business. Different factors can affect the value of a system.  

Do those systems give your business a competitive advantage or help you save expenses? Does the system impact your brand, reputation, or even the safety of your business?  

Record these impacts, as they affect the value of your business. Once those two steps are complete, take that information and determine the impact on the system if it were to be exploited, taken down, or the data within the system was leaked.  

An example of this is if Acme Engineering housed their drafting software on a server. If the server was taken offline by a cybercriminal, it would amount to hours, or even days of stopped work, which would result in lost revenue.  

Once the BIA is completed, you will have a better understanding of the value of the systems.  

2. Confidentiality, Integrity, Availability (CIA) 

The second step in the risk assessment is the Confidentiality, Integrity, Availability (CIA) triad. 

With your BIA completed, you know how a cybersecurity event can impact your critical processes and systems. The CIA triad helps you determine what the most important way is to protect that system or process.  

Each system or process is different and has different vulnerabilities. Confidentiality centers around keeping the data within your systems private. Integrity is making sure the data is trusted and hasn’t been tampered with. Availability means the employees that need access to specific systems and data have access.  

Now that you have completed both the BIA and CIA triad, your company has a playbook. You have documented your risk, including your biggest risks, and you know how to protect your systems and processes from those risks.  

In the previous example, Acme Engineering houses their drafting software on a server. Their server needs to be available, so their employees can complete their jobs, which in turn makes the company money. Using the information from the BIA, they can prevent a work stoppage by having backups. 

3. Privacy Impact Analysis (PIA)

For the third and final step, it’s time to look at the data you are storing on your systems. 

During your Privacy Impact Analysis (PIA), you will understand the regulated data that is in your systems. While the PIA is considered a component of a BIA, it is different in that there are laws regarding privacy.  

Privacy is a complicated component of cybersecurity, with regulations shifting between industries and geography. It is important to become familiar with how it will impact your business, but for the purpose of this blog, it will be covered from a high level.  

As you discover data that is private in your systems, it comes down to requirement. When looking at a PIA, there are three questions everyone should ask themselves. 

  1. Are you required to have this data in your systems? 
  2. Are the users that have access to the data required to have it to do their job? 
  3. Can you meet minimum protection requirements to keep it safe? 

If you answered “no” to any one of these questions, the data should not be in the system.  

After the Security Risk Assessment is Complete 

With the information compiled, you are well on your way to a security roadmap. Any technical issues discovered during your BIA, CIA, and PIA will need to be turned over to your IT department. Be sure your IT department has resources to handle them. If your IT department needs additional support or resources, Guide Star can help. 

There are two components your company needs to have a complete risk management program: an enterprise architecture team and a risk register. 

What is an Enterprise Architecture (EA) Team? guide-star_EA_Team_Risk_Register

An enterprise architecture team establishes and manages cybersecurity standards for your business. These are often based on your chosen cybersecurity framework, and they are used to assess third party software, solutions, and vendors.  

Third parties will undergo an annual review from a technical and procedural standpoint and receive some sort of pass/fail score. Your technical roadmap is then updated to include items based on these reviews.  

The purpose of the EA team is to ensure your partners are as secure as you are and to inform technology planning and road mapping. This helps your IT team focus on where the risks are in your systems.  

What is a Risk Register? 

A risk register is used for high-level, impactful risks that are either expensive or difficult to remediate. These types of risks need executive-level decision making to form a course of action. There are two options: you can fix the issue, or you can live with the issue.  

Once an executive decides to continue without fixing the risk, it needs to be documented in the risk register. Documentation is very important when it comes to risk. Your company can choose to continue using a vulnerable system for many reasons, including the system being important to the day-to-day operations of the business, the risk being too expensive to fix, or there simply is not a fix.  

Once you have your risk register, you will need to review and manage it quarterly with any action items for remediation taken off the register. This needs to live in executive and board reporting to make them aware of the risks you have at any given time.  

Maintaining an Internal Risk Assessment Program 

With an enterprise architecture team and a risk register documented, you have an internal risk assessment program. This program is not a one-time assessment, it is an ongoing program that needs to be kept up-to-date and formally noted in both the executive team and board meeting minutes.  

6 Considerations When Receiving a Third Party Audit and Assessment guide-star_magnifying-glass

Now that you’ve done your homework, it’s time to turn it in to the teacher.  

A third party assessment consists of an external group looking at your cybersecurity program, including your risk assessment, then giving your company a score. They will provide you with any gaps you have, what your company performs well at, and what your company doesn’t succeed at.  

There are six points to consider when planning to undergo a third party audit. 

1. Third party assessments aren’t worth it if your business can’t respond.

If your business doesn’t have an internal cybersecurity program or risk assessment, your business won’t have any of the tools necessary to respond to the gaps the third party will find. In addition, your company will need resources to respond to complicated technical roadblocks.  

If your IT department can’t solve them on their own, Guide Star has cybersecurity experts that can help.  

2. Before getting an assessment, engage with your IT department or Guide Star to make sure you have minimum protections in place. 

Minimum protections are the building blocks of cybersecurity. These include components like multifactor authentication, good firewall protection, and single sign-on (SSO). Your third party assessment will focus heavily on these baseline protections. If you don’t have these in place, the assessment will not provide you with any new insight. 

3. Good third party groups evaluate your business as a standard part of your assessment.

Cookie cutter approaches to cybersecurity don’t work. Every company has their differences, so evaluating your business is necessary to complete an accurate assessment.   

4. Always check references. 

Like many other aspects of life, it is important to check the third party’s references. Reputation is essential when it comes to third party assessments. Search the company or contact former customers to ensure they will provide a quality assessment.  

5. Avoid third parties that deliver your assessment and leave immediately. 

Find someone that wants to help you succeed in protecting your business. A quality third party will give you the details of your assessment, then give you guidance on how to improve your cybersecurity program 

They should help you build a roadmap to success and meet with your board to advise them on the next steps. Guide Star can assist your business in the handoff between the third party and your executive team 

6. Don’t scramble, be honest. 

If the third party asks about a system or tool you don’t have in place, be honest with them. The goal of a third party assessment is not to pass or fail, it’s to make your company and its infrastructure safer. 

Think of a third party assessment like an annual wellness checkup. You don’t go to your primary care provider to get a grade on your health, you want to make sure you won’t have a heart attack.  

What to Do with Your Security Assessment Results guide-star_risk_gauge

Your third party assessment results should be incorporated into your risk assessment program and enterprise architecture reviews. Your IT department is on the front lines of cybersecurity safety, so the results need to be shared with them to ensure their technology roadmaps are accurate.  

It is also important to communicate the results to your executive team and board, so they are aware of any gaps in your cybersecurity program. 

Keep Sharpening Your Cybersecurity Program 

Over time, your risk assessment and your third party assessment should look more and more similar. If your risk assessment is working properly, your IT department should know any gaps the third party assessment will find.  

As your cybersecurity program matures, there should be fewer surprises on your third party assessment because you are proactively managing any risks they will find. Keeping track of these risks and adapting to the changes mitigation will bring can keep your employee owners (and their data) safe. 

Remember, managing risk is not the third party’s responsibility, it is yours. Once you’ve completed your risk assessment and had a third party help identify any vulnerabilities, it’s time to ensure that your employees know how to spot a threat. 

If you have yet to jump into cybersecurity, learn how to create a well-documented cybersecurity program today.