Risk assessment is the cornerstone of security. The risk assessment process includes gathering information about the assets of the organizations, including all information assets, and all physical assets.
® RiskWatch
The Leader in Security Risk Assessment
Risk Assessment and Compliance: A Management Tool for the IT Security Infrastructure by Caroline Ramsey Hamilton, President & CEO-RiskWatch, Inc.
Background identify and understand risks to the confidentiality, Since the collapse of Enron in in December 2001, integrity, and availability of information and corporations have been under increasing scrutiny by information systems. An adequate assessment government regulators who want to ensure that identifies the value and sensitivity of information and investors are protected, that individual medical system components and then balances that records are protected and that online banking offers a knowledge with the exposure from threats and safe environment for consumers. vulnerabilities. A risk assessment is a necessary prerequisite to the formation of strategies that Many of these new requirements include a risk guide the institution as it develops, implements, tests, assessment component as part of the compliance and maintains its information systems security activities. The assessment component of the risk posture. An initial risk assessment may involve a assessment is also being used as a way to validate significant onetime effort, but the risk assessment compliance with others sections of IT security process should be an ongoing part of the information regulations such as the FFIEC Examination security program." Handbook, Bank Secrecy Act revision of 2006, Gramm Leach Bliley Act, the HIPAA Rule, Cobit IV The Sarbanes-Oxley Act and the Sarbanes Oxley Act. Without a doubt, the Sarbanes-Oxley Act (SOX) is the single most important piece of legislation affecting These new regulations require more stringent security corporate governance, financial disclosure and the and other requirements that influence the nature of practice of public accounting since the US securities both information security and physical security. These laws of the early 1930s. And, it is clear that public new requirements are mandatory-and most are companies and the accounting profession have made subject to either audit or review, by an outside tremendous progress in meeting the rigorous organization. Many of these requirements are listed requirements of this legislation. Risk Assessments or in Figure A1 (below). A key element in these self-assessment using risk- based gap analysis requirements is the risk analysis/risk assessment techniques help organizations discover where they requirement (also called a self assessment), that are in their SOX compliance. forces organizations to conduct a formal assessment of their IT security infrastructure including: What is a Risk Assessment? . the threats that are present; Risk assessment is the cornerstone of security. Risk . the assets that need protection; assessment looks at a variety of threats: . a review of existing vulnerabilities; and . both internal and external; . an analysis of these elements, such as threat/ . considers the value of the organizational vulnerability pairing- assets, such as consumer information, culminating in a list of controls that will be including dependencies; implemented. . It calculates a risk rating; and . recommends solutions that are prioritized by According to the FFIEC (Federal Financial Institutions Return On Investment Examiners Council) IT Handbook, "Information security risk assessment is the process used to www.riskwatch.com RiskWatch® is a registered trademark of RiskWatch, Inc. ® RiskWatch
The Leader in Security Risk Assessment
The risk assessment process includes gathering different systems, or different facilities within the information about the assets of the organizations, organization. There is also great value in having an including all information assets such as networks, auditable process that allows an organization to prove data centers, computers, hardware, software, data/ that it has done the required assessments. Risk information; and all physical assets, such as the assessment is a management process and, by its personnel who staff the organization, the integrated nature, should involve the whole organization. systems, the physical facility and dozens of other organizational resources. In addition, the risk ... [download for more]
