A Cybersecurity Risk Assessment Checklist for Infrastructures in Transition

Dev and Ops teams constantly evolve their technology and procedures to increase speed and lower costs. Typically this leads to increasingly abstracted infrastructure, such as containers, container orchestration, and serverless infrastructure — and while this makes it easier for organizations to advance their technical, operational, and business goals, it simultaneously increases vulnerability to attack, reduces visibility, and challenges existing controls.

Since it’s always more difficult to secure infrastructure after it’s built, the best time to evaluate monitoring and controls is when infrastructure evolution is being planned. During the planning stage, Security and Operations teams can evaluate the interrelated factors that affect security and ensure that appropriate mechanisms are integrated directly into infrastructure design and operations from the outset. Done this way, security becomes part of the infrastructure evolution rather than an after-the-fact add on, and delivers an immediate ROI instead of posing an operational burden.

Cybersecurity Risk Assessment Checklist

To help you evaluate risk and plan systemic remediation for your organization, we’ve created the 5-step Cybersecurity Risk Assessment Checklist that’s outlined in the remainder of this blog post.

To derive the greatest benefit from the checklist, be thorough: Make sure you and your team build up a thorough knowledge of the systems, operations, security, and compliance regulations within your organization. In addition, ensure that the scope of assessment includes your own deployed servers as well as all cloud providers and third-party apps and resources that make up your system. Think about your server and serverless style deployments as well. Finally, as appropriate, add, modify, and delete detail so the assessment is specific to your company’s requirements and priorities.

1. Baseline Your Normal Operating State

• Describe the systems, applications, services, and scripts that run in your environment.
• Evaluate who has privileged access and how access is granted and revoked.
• Identify the location of any sensitive data that is stored, including customer data and data governed by compliance regulations.
• Create documentation or a network diagram, including connections to third-party applications.

2. Identify Your Threat Landscape

• Consider common threats and how they could affect you. Take Test and Dev environments into consideration in addition to your Production environment. Evaluate the following:
  • Insider threats. These could come from employees and contractors in your organization or even third-party organizations, and could result from malicious actions or inadvertent behavior.
  • Sensitive data leaks through unintentional exposure of information.
  • Phishing or social engineering attacks.
  • Credential theft, especially for longer-lived credentials or high-privilege credentials.
  • Potential for unsecured or misconfigured cloud resources (S3, for example), infrastructure ports for virtual servers, containers, and container orchestration platforms.
• If it’s available, examine data from past incidents to detect patterns.

3. Determine Inherent Risk and Business Impact

• Rate the full potential impact of each threat without controls in place.
• Determine the value if sensitive data or assets were completely lost, including the effect on company or customer reputation and future loss of revenue for either.
• Determine the cost of system downtime and restoration.

4. Factor in Your Control Environment

Environments are typically segmented into control planes and data planes. The control plane orchestrates and authorizes actions carried out in the data plane.

• Evaluate specific aspects of your control environment including:
  • Administrative controls and layers of access based on defined roles and the principle of least privilege
  • Organizational risk management controls. What type of data do you need to protect and how?
  • User identification and runtime access restrictions based on role

5. Examine Comparable Businesses

A lot of valuable threat intelligence is available to help you identify threats specific to your type of business. Here are three ways you can start to gather it:

• Consult industry-specific compliance standards.
• Examine breaches in comparable organizations.
• Speak with companies in your industry about specific security issues they’ve faced.

Get Proactive — Start a Security Risk Assessment Now

Don’t let a transition in infrastructure get ahead of security. As early as possible, complete a Security Risk Assessment to identify risks and plan for security monitoring and controls that you can then integrate across your full stack and full lifecycle. With a thorough understanding of your organization’s specific risks, you’ll be able to determine where improvements need to be made to your control environment.

Once you have completed the Risk Assessment Checklist, use the information you’ve gathered to prepare a Risk Assessment Report. You can turn this into a Risk Management Strategic Plan — an action plan for reducing and managing risk in your organization while improving security maturity on a proactive, ongoing basis.

• To begin baselining your organization’s cloud security maturity as a start to implementing a continuous plan for strengthening your security posture, feel free to take our Cloud SecOps Maturity Assessment.
  
• Download a copy of our whitepaper, Cloud Security Observability: A Guide to Reducing Your Cloud Native Infrastructure Risk, along with the Security That Keeps Up With Your Evolving Infrastructure data sheet.
• Finally, check out our Threat Stack Cloud SecOps Program℠ to see how it can help you integrate Security and Operations — without having to recruit hard-to-find talent or struggling to integrate and interpret data from multiple point solutions.