Once organizations have developed a risk management strategy and a risk management program, regular risk assessments should be performed to identify, or update, a list of risk scenarios to which the organization may be susceptible. Risk assessments are the focus of Pitfall #11 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
The risk assessment process should result in the potential impact for each risk scenario being assessed. Risk assessments that are more than a year old may not be an accurate representation of risks that could impact an organization. Annual risk assessments are not only a best practice, but they are also required by most regulatory control frameworks to validate that an organization routinely monitors applicable risks and applies appropriate risk treatment or mitigation.
Your organization should perform regular risk assessments to identify, quantify, qualify, and continually evaluate risk. Risk assessments should identify any information systems, high-risk operations, or functions that may warrant additional security controls. Assessment criteria should be updated to address any new technologies, products, services, information systems, or connections.
Risk assessments may be quantitative or qualitative. You should ensure they are consistent and comparable so the prioritization of resources to manage identified risks can be determined. Risk assessments should be performed at least annually. They should also be appropriately updated when major changes occur within the operating environment. It may be appropriate to complete an assessment for each of your geographical locations if risk scenarios are different for each location.
Assessment results at the organization level, system level assessment results, and risk management decisions should be integrated whenever possible. Benchmarks or target performance metrics should be established to demonstrate either improvement or regression of your organization’s risk posture over time.
To learn more about this pitfall, and 99 more, get my eBook: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASECENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.