Conducting regular security risk assessments (SRAs) are essential to protecting your business from internal and external threats.
Do you need to comply with CJIS? What about HIPAA, MACRA, or MIPS? If you do, you need to conduct regular security risk assessments (SRAs). An SRA helps an organization understand the implications of the physical, administrative, and technical protections, or the lack thereof, it has in place to safeguard its sensitive data. Sensitive data includes Personally Identifiable Information (PII) linked to your employees and clients, Criminal Justice Information (CJI) for those in law enforcement, and Protected Health Information (PHI) for healthcare entities.
SRAs enable organizations to understand where security gaps exist, develop action plans to mitigate those risks, and a way of measuring the effectiveness of the changes they implement. The findings from an SRA need to be documented in a formalized report. As a matter of best practice, your risk assessment should follow the methodology described in NIST Special Publication (SP) 800-30.
A comprehensive security risk assessment will follow a structured process, like the one outlined below.
1. Locate Data. Identify and record where all PII, PHI, CJI, and other sensitive data reside in your organization. Consider every system that stores, maintains, transmits, or receives any critical data. Data may be stored electronically and in paper format.
2. Identify Risks. What are the threats posed to each data repository? For instance, theft, fire, and flood are among the scenarios that are important to consider and document. Think of any risks that could disrupt your operations.
3. Assess Current Safeguards. What current security measures do you already have in place? What protocols have you instituted to mitigate the risks you identified in step 2? Some examples of safeguards may include employee security awareness training, email encryption, system backups, or a disaster recovery plan.
4. Determine Risk Probability. Assess the likelihood of each risk for any threats or vulnerabilities to PII, PHI, or other sensitive data that you identified in step 2. Factor in the possibility of the threat happening. Do your current safeguards from step 3 adequately mitigate the threat’s likelihood? Express the likeliness of threats in terms of low, medium, or high.
5. Determine Threat Impact. What’s the impact of each threat occurrence? For each threat and vulnerability to your PII, PHI, CJI, and other sensitive business data, calculate the associated impact of the threat in terms of low, medium, or high impact.
6. Determine Risk Levels. For each threat and vulnerability to your organization’s data, calculate the level of risk for the associated threat. The risk level is identified using the risk probability, as calculated in step 4, and the resulting threat impact, as calculated in step 5. Risk levels are identified as low, medium, or high.
7. Identify Remedies. What added security measures do you need to implement to lower the level of risk to your data and your organization? Based on the risk levels you identified from step 6, consider which added security measures make sense to implement to lower the risk.
8. Document Findings. As you conduct your SRA, document all your findings for each step outlined above. The SRA should culminate in a report that clearly delineates the results for the organization. Additionally, the SRA should recommend actions for improvement in the form of a work plan to lower risks.
Security Risk Assessments are critical to protecting organizational assets and sensitive data. Although SRAs can be time-consuming to conduct and resource-intensive to act upon once the risks and corrective measures are identified, not doing an SRA leaves your organization exposed to threats. The cost of conducting an SRA is far less than the cost associated with a data breach.
To simplify the SRA process, consider hiring an organization experienced at conducting SRAs, like Athreon. Athreon can provide you with resources that minimize the effort required by your team to complete its SRA. For further details and a free consultation, contact Athreon at 800.935.0973 or service@athreon.com.