We've merged with Sikich to better serve our clients. See what the future holds.

To manage risk, you must first understand risk.

Understanding and assessing risk is one of the most fundamental ways your organization can improve your information security decisions. While it is impossible to eliminate all the risks associated with your IT systems and the sensitive information stored, processed and transmitted on them, employing a risk management program will focus your limited resources where they can provide the greatest level of risk reduction.

Clear thinking about risks based on a thorough understanding of the environment and current knowledge of the threat landscape drives an intelligent, well-founded information security strategy. An informed strategy helps fulfill both compliance objectives (such as GLBA, HIPAA and PCI DSS) and broader security goals.

A risk assessment formally documents the risks associated with your IT systems and sensitive information based on the threats to the system, the vulnerability of the system to those threats and the potential impact of a security breach on the system. Risk assessments are conducted annually to account for changes in your operational environment.

Why It's Important

Without a formal process to identify and understand the risks faced by your organization, decisions are driven by assumptions instead of real data about how your business would be affected in the event of an outage or data breach. It is important to understand both the value of and the risks associated with your data. This will guide you in committing the appropriate level of effort and resources to its protection.

A risk assessment forces your organization to think about all potential outcomes of a breach:

  • What data is valuable to our customers, members and/or patients?
  • What would happen if our name was in the news for a data breach, even if the data lost is meaningless?
  • What legal liability would we have if something happens to this data?

It is vital that your risk assessment includes all systems that are critical to your operations or that contain sensitive information. Your risk assessment should also include an assessment of the operational processes and procedures used to maintain and operate the systems. These processes often affect more than one system and can introduce additional risk to your organization. For example, a weak patching program may add a small risk to individual systems, but can introduce significant overall risk to your organization.

By considering all avenues and weighing decisions based on analyzed risk, a risk assessment empowers your organization to make better informed decisions.

How We Can Help

Our risk assessments combine reviews of documentation and system details with personnel interviews to identify relevant threats and vulnerabilities within your organization.

Based on our expertise, knowledge of your industry and awareness of global security threats, we help you evaluate the risks your organization faces and identify:

  • Which systems you use to store, process or transmit sensitive information
  • Threats to your systems from inside attackers, outside attackers, automated attacks (e.g., computer viruses), environmental factors, and accidents or human mistakes
  • Vulnerabilities that could make your systems susceptible to the identified threats
  • The impact to your organization or your customers, members and/or patients if an attacker was able to successfully exploit the vulnerability

At the end of the risk assessment, we recommend strategies to help your organization manage these risks effectively and adjust your information security policies. Your up-to-date, and perhaps newly-found, security focus will be reflected throughout your organization's information security program.

We also formally document and present the results of your risk assessment to your appropriate risk management, audit or company management bodies. In many cases this includes your board of directors or audit committee.

Blog Post: Scope and Scope Reduction Techniques

When dealing with PCI DSS compliance, one of the first and most essential steps is addressing scope. My colleague, Walt Conway, calls it Requirement 0: reduce the scope of your payment environment to reduce your compliance burden.

This is good advice; reducing your scope by eliminating data stores, simplifying your transaction process, or segregating your payment-related networking from other stuff does, in fact, reduce your scope and, if done correctly, will actually help you secure your really important assets from attack.

In the last few years, we've seen some interesting developments in some additional scope-reduction technologies and techniques that I'd like to discuss here as well, namely tokenization and point-to-point encryption. Read more »

Understand the risks you face.

All it takes is your name and phone number or email address to learn more about our services and expertise. If you'd like, you'll also be able to send additional details after you submit your information here.