FISASCORE r2 Risk Assessment

A good information security risk assessment is the driver for the entirety of your security program. Acting as the groundwork and the road map for your security practice, a risk assessment provides you with a baseline score that you can use to plan the improvements you’d like to make. While everyone’s baseline “secure” is different, the result of the assessment is the same— figure out where we need to make improvements and act on those areas.

But security is dynamic.

Between new technologies being introduced every day, new threats emerging by the minute, and a slew of security regulations added and changed regularly, the state of security is ever-evolving. Because of this, it’s important that our security risk assessments evolve with them. It’s imperative that we protect against all threats and account for all technologies— not just the evergreen ones— because it will ensure that we’re measuring our security in the most comprehensive way possible. Naturally, this requires change.

We periodically make control changes to our FISASCORE risk assessment as a result. When significant control changes are made, we create a new release. We are administering the most current release, r2, now. Here are the 10 things you need to know about the changes to your FISASCORE risk assessment.

1. Releases are Pushed by Control Changes

The score you get at the end of your FISASCORE risk assessment is an average of four controls (or areas) of information security. When we conduct a risk assessment, we take a look at how your organization handles each of these four controls in an objective manner. These yes/no questions give analysts a detailed look at exactly where you’re protecting your organization and where you aren’t. It’s these objective questions we’ve made adjustments to. Either the content or the weight they hold (the math behind each question) has changed, and this requires us to make these new releases.

fisascore risk assessment controls

Administrative Controls

Think of this as your “people” portion of security. Administrative controls involve the strategy, roles, and responsibilities of workforce members. This includes things like your onboarding and offboarding processes, your password rules, asset management, incident response planning, and more.

Physical Controls

Physical controls are the tactile security controls. These are the ones that protect people from physically accessing your information. This includes things such as the locks on your business’s doors, your badge system, the cameras you have on the facility, etc. After all, it doesn’t matter how secure your network is if someone can break in and steal your server.

Internal Technical Controls

Internal technical controls involve the controls you have to protect your internal information resources. This includes your network connectivity, remote access, servers and storage, mobile devices, and more. These controls focus on the things that happen inside your interal environment.

External Technical Controls

This is what people think of most when they think of information security. External technical controls take a look at your protections against the outside world. External technical controls involve firewalls and anything else that can help prevent black hat hackers from breaking through your network from the internet.

2. Impact on Industry Regulations

While the goal of FISASCORE is to ensure that organizations are doing the best they can to secure their own information within their business means, compliance is often a large driver of security measures to its users. This, in conjunction with doing the best we can to align with community-accepted frameworks, means that we map to as many industry standards as we possibly can. This helps FISASCORE users adhere to best practices and regulatory governance simultaneously.

The information security community updated the NIST Cybersecurity Framework (CSF) to version 1.1, which was released in April 2018. As FISASCORE r1 was mapped to NIST CSF’s version 1.0, we wanted to ensure that we were adjusting for the updated standards set forth by the community.

Updates on version 1.1 of the NIST CSF include:

  • Authentication and identity
  • Self-assessing cybersecurity risk
  • Managing cybersecurity within the supply chain
  • Vulnerability disclosure
Credit: N. Hanacek/NIST

3. New Technologies, New Releases

As technology develops, our standards around the security of them need to as well. The onslaught of new technologies is not uncommon. Technology is under constant development, and trends and fads are frequently evolving. Most recently, we’ve seen web-based services skyrocket since the FISASCORE r1 release in 2014.

With things like Office 365, Microsoft Azure, and Amazon Web Services (AWS) becoming more widely adopted, the threats to these kinds of services increase as well. These services have streamlined and improved storage processes, so organizations are becoming more and more willing to house their sensitive information there. Naturally, this leaves them as prime attacking points for black hat hackers.

Courtesy of Thompson Reuters on Youtube

Some of the vulnerabilities and risks with cloud-based technologies include:

  • Asset Management: It can be challenging for businesses to understand or have insight into exactly what is being stored over the cloud. We can’t secure what we don’t know exists.
  • Access Controls: Cloud services are shared, open environments. Because of this, it can be challenging to control admission to the resources and assets you have saved there.
  • Data Transit: Cloud services often pass data to and from other cloud-based applications using APIs. Unfortunately, it’s challenging to monitor what data is being passed, and from where.
  • Data Deletion: Threats associated with data deletion exist because there is less visibility into where their data is physically stored. This causes reduced confidence that all data was deleted completely, properly, and securely.
  • Increased Complexity: We say all the time that complexity is the enemy of security. Cloud services add complexities that lead to more potential for security gaps.

In order to account for the rapid increase in the usage of cloud-based services and these threats that they pose, it was important to add this as a portion of our information security practices. FISASCORE r2 contains new control questions about cloud-based services to tackle these.

4. New Releases Impact Risk Assessment Scores

There is no perfect translation between FISASCORE r2 and recent releases. Because the threat landscape changes release-over-release, there are some things added to the assessment that were never in one before. There may also be questions omitted as threats and technologies become irrelevant or obsolete.

We consider risk assessments to be point-in-time representations of your information security. They represent the current state of your program. As time passes, the validity of your risk assessment deteriorates. Especially as we add and remove control questions to account for the changes in technologies and regulations, your past risk assessment scores become significantly more obsolete.

Yes, this means your r2 score might be lower than your most recent r1 score. And this doesn’t mean your security is worse. If your FISASCORE from r1 to r2 has decreased even though you felt like you improved, much of the reason may be that real-world threats have also changed since the last FISASCORE.

5. Prepare to Explain the Changes

It’s easy to justify the lowered score to your board of directors or other upper management— if explained properly, and if the score dropped for the right reasons.

On the surface, it may look to a board that a decrease in scoring means that your program isn’t functioning properly. In reality, the changes to the assessment include things that you’ve not yet accounted for. This is not a negative thing, and it’s why our risk assessments don’t just come with a score, but also with suggestions for improvement.

As long as you can demonstrate to your upper management that you recognize the changes and have built them into your plan, the next meeting you have with them should see dramatically improved results.

How do you account for these control changes in your plan?

6. Always Build New Roadmaps

Getting your risk assessment score is nice, but it doesn’t make a difference to your organization if you’re not making changes against it for improvements. To do this, we build out roadmaps based on every FISASCORE. Your roadmap is your plan. It’s a thought-out and strategic plan based on your weaknesses, strengths, goals, budget, and more. A good roadmap is the starting point to getting your organization to where it feels it needs to be from a security standpoint.

This roadmap is the reason we should not be worried by a score dropping after the new FISASCORE release. When we create a roadmap, we consistently measure your improvements over your most recent FISASCORE. As you make changes to account for the new threat and technology landscape through this new roadmap, you’ll quickly find your score increasing. This practice is a great way for your organization to consistently improve its overall security posture.

One year after our FISASCORE assessment and roadmap, we should be conducting another FISASCORE to use as our new baseline for the next roadmap. Here is an example of what the cycle looks like end-to-end:

  1. Conduct the FISASCORE.
  2. Build a roadmap.
  3. Execute against the roadmap, measuring improvements made using the same FISASCORE release (in step 1)
  4. Update the FISASCORE, using the new release (if available). This is a new baseline FISASCORE for the organization to measure against for the next roadmap.
  5. Repeat steps 2-4.
FISASCORE Risk Assessment Roadmap

7. Expect Annual Releases

It’s important that organizations are getting their full risk assessments done annually (on top of tying your roadmap adjustments back to your most recent risk assessment). Not only do many regulatory organizations require them annually, but getting one done on this timeline also allows you to continually check against the growing and evolving threat and technology landscapes mentioned numerous times previously.

Schedule your FISASCORE

The FISASCORE is also expected to change year-over-year. We hope that new releases on this cadence will encourage organizations to get their risk assessments done annually. In addition, it’s crucial that we keep the risk assessments relevant to the current security industry. Predicting hacking trends is challenging, especially the further out you try to predict. A yearly release allows us to adequately evaluate what new threats and technologies are forming and how they can be woven into the control questions— without making too many assumptions and while still remaining relevant.

8. This is Not Our First Rodeo

FISASCORE r1 was not the first version of the FISASCORE. Instead, it was a major release of the current version of FISASCORE.

What’s the difference?

A version is a major evolution of the risk assessment that can include multiple releases. While a release includes minor mathematical and question changes, a version impacts the entire structure of the assessment itself. Did you know our risk assessment didn’t always mirror the credit score scale, for example?

This is currently the fifth iteration (version) of the FISASCORE risk assessment. The original was released in 2005. We’ve come a long way technologically, knowledge-wise, functionally, scoring-wise, and more since then.

“I found the FISASCORE® risk assessment to be the most comprehensive yet easily understood assessment I’ve been involved in”

Patrick Painschab |Senior IT Security Analyst, Coborn’s, Inc.

9. You Have a Say in What is Added

The mission of FRSecure is to fix a broken information security industry. Part of that is that as an industry, we have a hard time discussing the same concepts due to our differences in language. Our risk assessment aims to fix that problem by providing a universally understood scoring metric that maps to industry best practices and standards.

We pride ourselves on being “students of the game,” so to speak, as a result of this mission and the basis of our risk assessment. No security expert can know everything. In order for us to ensure we’re picking up on attacking trends and things that are relevant to the industry, we do care about feedback from our users about what goes into the risk assessment control questions.

If you’re seeing something you think needs to be added to the next round of control changes, we encourage you to bring it to our attention. It takes a village to make this the most comprehensive risk assessment possible!

10. How You Can Get Your r2 Done

If you’ve never done a FISASCORE risk assessment before, a good place to start is with an estimate. The FISASCORE Estimator gives you a snapshot of where your organization falls in a short survey format. Using this, you can tell if you have an immediate need that needs to be addressed.

If you do (or even if you don’t, honestly), consider reaching out to an FRSecure representative to conduct a full assessment for you.

When a FISASCORE is scheduled, we’ll send a certified analyst on site to assess the administrative and physical portions of your security program. They’ll do this over the course of two days. For the four weeks or so following that assessment, the analysts will spend time assessing the external network and internal network controls of your organization. Once this behind-the-scenes work is completed, the analysts will present the results to you and the organization— giving you feedback and roadmapping suggestions you can take with you to make improvements against.

r2 has already been released. Any full FISASCORE risk assessment scheduled in 2019 will be using the r2 control questions. This will be the case until a new release or version of FISASCORE is created.

A good information security risk assessment is the driver for the entirety of your security program. The FISASCORE risk assessment was built to be the most comprehensive and easy-to-understand risk assessment in the information security industry. It helps us speak the same language when it comes to defining what risk is and determining which are most pertinent to most businesses. To get your r2 risk assessment, visit


Brandon Matis on Linkedin
Brandon Matis
Content Marketing Specialist at FRSecure
As the Content Marketing Specialist for FRSecure, Brandon spins complex, technical security jargon into intelligible content that is easy to understand. Through journalistic-style writing and graphic design, Brandon creates multichannel, multi-industry content that summarizes the current state of the security industry.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *