IT Security Risk Assessment Checklist

Leave a Comment / IT Security, Learning Center / By

You’re getting ready to schedule your security risk assessment — or maybe you already have. security risk assessment

Hopefully, you’re excited about the deep dive into your IT environment’s strengths and weaknesses.

However, we understand if there are some jitters within the IT department before the assessment begins. For example, you may be worried about what vulnerabilities the security team will discover or what gaps have been flying under the radar.

The assessment process includes a preliminary interview, where your security adviser will walk you through each step of their approach. However, The KR Group has repeatedly received important questions from prospective customers before that cadence.

As you’re preparing for the big security risk assessment, we want to help answer some of the questions about what you need to begin the process.

A reputable security team will work with you before, during, and after the assessment to assure you that you’re on the same team to get you closer to a secure IT environment.

Even if you identify gaps that were flying under the radar, know that the assessment is the beginning of a more robust approach to your security posture.

Are you ready to get started?

You can read about the timeline of a security risk assessment in “How Long a Security Risk Assessment Lasts [Steps & Timeline].” Still, before the first day of the project, there are a few to-do items you can check off to help the process go smoothly. They include:

  1. Keep the prospective project private
  2. Gather available network diagrams
  3. Gather information on cybersecurity insurance and compliance mandates
  4. Gather policy and written-process documentation
  5. Create a list of all security solutions and critical IT assets

This list might seem extensive but know it’s all to help your security adviser be thorough when evaluating your IT environment. The more information you can provide, the better starting point our team will have.

Keep the Project Private

security risk assessmentBefore we get into the information you need to put together for your security adviser, we want to remind you to keep the status of the security risk assessment to yourself.

The fewer people who know, the more realistic the analysis will be. Additionally, there are two phishing tests scheduled as part of the assessment process.

Your security adviser wants an accurate representation of how many users will fail the test. However, if they’re aware of an ongoing security assessment, they will likely be more vigilant than when they’re not expecting a security threat.

Gather Network Diagrams

If you have diagrams of your network, you should ensure they are up to date and be ready to provide your security adviser with copies of these.

They’ll use these diagrams to rapidly understand your network topology and develop an assessment path for your network infrastructure.

Not every organization has these readily available, and they’re not required for a security risk assessment, but they are helpful.

Inform About Insurance and Regulatory Compliance Mandates

This checklist item won’t apply to every business. If you do have a cybersecurity insurance policy or must abide by regulatory compliance mandates (HIPAA, GLBA, FERPA, FINRA, etc.), you’ll want to pass along that information to your security adviser.

This information is helpful to your security adviser if you have specific requirements related to your policy. It can also dictate your incident response policy in the case of a security breach.

Ultimately, it helps the assessment team understand if and how an insurance policy influences the IT department’s policies and processes.

And when it comes to information about any regulatory mandates, this can give the security team an idea of any specific security measures you must meet.

Provide Policy and Written Process Documentation

Your security adviser will want to see what you document and how you document what you do.

This might include the following: security risk assessment

  • Disaster recovery and business continuity (DR/BC)
  • Risk management
  • Incident response playbook
  • Change control,
  • Acceptable use of the IT environment,
  • Onboarding and off-boarding procedures
  • Current accounting processes

If you have minimal processes around the above policies and documentation, you’ll likely have gaps, inconsistencies, and consequent risks.

So, it’s also important to let your adviser know what you don’t have in place since the security team takes that into account when evaluating your overall security weaknesses.

List Security Solutions and Critical IT Assets

You’ll want to let your security consultant know what security solutions you currently have in place. This includes software, hardware, and services.

Put together a list of everything you deploy to keep malicious actors out of your IT environment so the security team can evaluate if they’re effectively protecting your business.

To round out the information, you’ll want to inform the security team of what IT areas are most crucial to your organization. Some examples are primary applications and essential data, such as email, directory services, ERP, CRM, custom applications, etc.

While an attack is detrimental in any part of your IT environment, these are the places that would instantly cripple your company.

By putting this information into a list, the security team knows from the beginning what you consider the “core” of your IT environment. This is where they’ll focus their efforts.

Get Ready for Your IT Security Risk Assessment

Signing up for an IT security risk assessment should be exciting. You’ll get unparalleled insight into the strengths and weaknesses of your IT environment. Then, in the final report, you’ll receive a prioritized list of actions you can take to secure your assets.

To get started with the assessment, you’ll need to gather and provide the details discussed above. These include:

  • Network diagrams
  • List of critical IT assets
  • Cybersecurity insurance information
  • Relevant regulatory compliance mandates
  • List of security solutions and services
  • Policy and written-process documentation

Additionally, while you’re accumulating these materials and throughout the assessment process, it’s best to keep the project’s status private. This will give your security adviser the most realistic view of what an average day looks like in your IT environment.

For more help preparing for an IT security risk assessment, download our free timeline or check out our article, “How to Read a Security Assessment Report,” to understand what to expect after the assessment.

Leave a Comment

WE'RE SERIOUS ABOUT YOUR EDUCATION!

Want the articles from our Learning Center delivered to your inbox? Stay up to date with the latest on cybersecurity, collaboration, data center, managed services, and more.

Scroll to Top