|
Background
Since the collapse of Enron in in December 2001, corporations have been under increasing scrutiny by government regulators who want to ensure that investors are protected, that individual medical records are protected and that online banking offers a safe environment for consumers.
Many of these new requirements include a risk assessment component as part of the compliance activities. The assessment component of the risk assessment is also being used as a way to validate compliance with others sections of IT security regulations such as the FFIEC Examination Handbook, Bank Secrecy Act revision of 2006, Gramm Leach Bliley Act, the HIPAA Rule, Cobit IV and the Sarbanes Oxley Act. These new regulations require more stringent security and other requirements that influence the nature of both information security and physical security.
These new requirements are mandatory--and most are subject to either audit or review, by an outside organization. Many of these requirements are listed in Figure A1 (below). A key element in these requirements is the risk analysis/risk assessment requirement (also called a self assessment), that forces organizations to conduct a formal assessment of their IT security infrastructure including:
- the threats that are present;
- the assets that need protection;
- a review of existing vulnerabilities; and
- an analysis of these elements, such as threat/ vulnerability pairing-- culminating in a list of controls that will be implemented.
According to the FFIEC (Federal Financial Institutions Examiners Council) IT Handbook, "Information security risk assessment is the process used to identify and understand risks to the confidentiality, integrity, and availability of information and information systems. An adequate assessment identifies the value and sensitivity of information and system components and then balances that knowledge with the exposure from threats and vulnerabilities. A risk assessment is a necessary prerequisite to the formation of strategies that guide the institution as it develops, implements, tests, and maintains its information systems security posture. An initial risk assessment may involve a significant onetime effort, but the risk assessment process should be an ongoing part of the information security program."
The Sarbanes-Oxley Act
Without a doubt, the Sarbanes-Oxley Act (SOX) is the single most important piece of legislation affecting corporate governance, financial disclosure and the practice of public accounting since the US securities laws of the early 1930s. And, it is clear that public companies and the accounting profession have made tremendous progress in meeting the rigorous requirements of this legislation. Risk Assessments or self-assessment using risk- based gap analysis techniques help organizations discover where they are in their SOX compliance.
What is a Risk Assessment?
Risk assessment is the cornerstone of security. Risk assessment looks at a variety of threats:
- both internal and external;
- considers the value of the organizational assets, such as consumer information, including dependencies;
- It calculates a risk rating; and
- recommends solutions that are prioritized by Return On Investment
The risk assessment process includes gathering information about the assets of the organizations, including all information assets such as networks, data centers, computers, hardware, software, data/ information; and all physical assets, such as the personnel who staff the organization, the integrated systems, the physical facility and dozens of other organizational resources. In addition, the risk assessment process includes finding sources for threat data, which may be gathered from internal sources such as incident reports and intrusion detection reports. It may also include threat data such as crime statistics, industry standards and benchmarking data, and historical data about what has happened in the organization, and in the general industry segment.
Risk assessment is a method of determining what kind of controls are needed to protect an organization's assets and resources not just adequately, but also cost-effectively. The risk assessment process analyzes a set of five variables, and comes up with recommended actions based on the relationships of these variables to each other and how compliant the organization is with existing requirements.
|
