Why Does My Organization Need a Risk Assessment?
A company’s risk assessment program is the foundation of its information security program. Your program should protect the company’s most critical systems and data. A risk assessment identifies possible risks to the security of an organization’s information systems:
- Loss of confidentiality of sensitive information
- Lack of availability of critical data systems
For financial institutions, the Gramm-Leach-Bliley Act (GLBA) and the Federal Financial Institu-tions Examination Council’s (FFIEC) guidelines require a risk assessment to be performed. Other organizations may apply the risk assessment process as a component of SOX compli-ance or internal audit activities.
What Threats Should Be Considered?
There is no single list of threats that applies to all organizations. All reasonably foreseeable threats should be considered, and those are defined by factors such as the institution’s location and its technical environment. Threats are commonly categorized as one of the following:
- Natural – tornado, earthquake, etc.
- Human – accidental or intentional acts
- Technical – equipment or communication failure
How Often Should Risks Be Assessed?
Risk assessment is an ongoing process. For example, risks should be assessed anytime a new server is installed or new controls are implemented. Ideally assessments should occur before changes are made.
BKD IT Risk Services (ITRS) uses a risk-assessment process based on guidelines from the National Institute of Standards and Technology’s (NIST) Risk Management Guide for Information Technology Systems and the Federal Financial Institutions Examination Council’s (FFIEC) Information Security Handbook. Assessment results are analytical reports that help you understand the risks to your organization’s information system.
Informed decisions can then be made about additional controls and system changes.