IT Security Compliance regulations and guidelines (GLBA, NCUA, FFIEC, HIPAA, etc.) require an organization to conduct a Risk Assessment. The Risk Assessment should identify reasonably foreseeable risks that could result in service interruption or unauthorized disclosure, misuse, alteration, or destruction of confidential information. The Risk Assessment process evaluates the likelihood and potential damage of the identified threats and assesses the sufficiency of safeguards in place, to control the identified risks.
TraceSecurity’s Risk Assessment follows standard methodologies designed to meet regulatory requirements and best practice guidelines based on international standards such ISO 27001, COBIT 4, etc. TraceSecurity’s experts take a close look at the organization’s safeguards, vulnerabilities, threat vectors, asset information, and loss expectancies. Each individual risk is then analyzed and compared against other identified risks, enabling the organization to prioritize remediation efforts, preempting losses with most exposure. The Risk Assessment process is captured and managed through TraceSecurity’s Risk Manager Software that automates the process and provides a foundation for future Risk Assessments.
The TraceSecurity Risk Assessment process includes the following:
- Identification of Information Assets that need to be reviewed.
- Identify Key Stakeholders and Owners
- Identify and Collect Key Documentation
- IT Asset Classification (application, database, infrastructure)
- Asset Data Sensitivity Classification
- Asset Role Taxonomy - Business function
- Asset Valuation and/or Mission Factor Weighting - qualitative or quantitative
- Identification of all threats, risks, concerns and issues related to the Information Assets of the particular organization.
- Determination of the level to which the asset is vulnerable to security threats and the currently implemented safeguards to help prioritize risk.
- Safeguard Implementation Analysis
- Relative Risk Level (Probability of Occurrence)
- Potential Loss Analysis
- Key Metric Indicators
- Recommendation of required controls and safeguards to mitigate risks identified in the Risk Assessment Results.
- Reporting – Provided through TraceReport, a module of TraceSecurity Compliance Manager
- Executive Summary
- Risk Analysis
- Asset Analysis
- Threat Analysis
- Safeguard Analysis
Ongoing Risk Management Process
A Risk Assessment is the first step of developing a risk management process and provides a point-in-time evaluation of the organization’s risk level. The organizational environment is constantly changing due to the addition of assets, changes in staff, and new threats. Each change in the organization’s environment can result in a change in the organization’s risk level, which requires the organization to implement a risk management process that includes ongoing Risk Assessment. However, using third-party vendors to perform the necessary Risk Assessment does not fit within the organization’s budget. The organization may turn to its own personnel to keep its Risk Assessment up-to-date; however, this approach usually puts a strain on key personnel’s time.
TraceSecurity has developed its Risk Manager solution that automates the Risk Assessment process to enable an organization to efficiently perform its own, on-demand Risk Assessment in a cost effective manner. Risk Manager is a Software-as-a-Service (SaaS) solution that eliminates the need to install or maintain the software on the organizations systems. Risk Manager provides a seamless transition from the TraceSecurity Risk Assessment to an in-house managed Risk Assessment program. Risk Manager is included with TraceSecurity’s comprehensive Risk Assessment solutions. TraceSecurity also provides Service Only options and Risk Manager as a stand-alone offering. To learn more about Risk Manager, click here.
