Control Assessments Vs. Risk Assessments

by Brian Petzold | Jul 19, 2024

Control-Assessments-Vs-Risk-Assessments

When we first start working with new institutions, it is not unusual for us to see them struggling because they have focused their efforts on remediating controls that were found to be missing during a control assessment (NIST, CAT, ACET, RSAT, etc.). While control assessments are a quick way of identifying missing controls, they do not put those controls into the context of threats and assets and consequently do not prioritize the order of remediation. To prioritize remediation efforts better, the institutions should have also utilized a risk assessment that associated the controls with threats and assets.

As an example, let’s say that a control assessment finds that the organization does not require users to change their passwords regularly. On the surface, this can appear to be an important control that is missing, so auditors make it a critical finding that must be addressed immediately. But watch what happens when we associate that control with a threat in a risk assessment:

The threat that we are assessing is that an unauthorized person will be able to log in as the user. In assessing this threat, we found that users are not required to change their passwords regularly. If a password is compromised, the unauthorized person will have the password and will be able to log in as that user unless there are other mitigating controls in place. On further review, we found this threat has the following other mitigating controls:

  • MFA is required for every login. The MFA method is a hardware token that requires a valid fingerprint plus an additional PIN to allow access.
  • Conditional access rules require that the computer being used to access be joined to the domain.
  • Three invalid login attempts result in the account being locked until an administrator unlocks it. A user needs to physically come to the office to be unlocked.
  • Additional security software heuristically analyzes user activity and requires additional MFA using a registered authenticator app if abnormal activity is detected.

 

Looking at the same threat for each asset type in the organization can help further prioritize. Let’s say that in the previous threat example, the controls we described above are in place for the Windows network, but not for the Internet banking site administration site that is available to employees without logging into the network. In this case, we might prioritize making employees change their Internet banking passwords monthly but might also decide to eliminate network passwords entirely. Controls are now implemented based on the risk of threats to the asset instead of on a generic control assessment.

If you are interested in having a REAL risk assessment performed so that you can better prioritize control implementation, please contact us to find out how we can help!

Want these articles delivered weekly to your inbox? Subscribe to our Newsletter!

Recent Posts

Stay in the Loop!