The Life Cycle of a Data Security Risk Assessment

Data is the lifeblood of any organization, and just as with the human body, organizations must protect this precious resource for the whole system to remain healthy. Organizations need to ensure that their data is safely stored under virtual lock and key, whether they are safeguarding trade secrets, complying with relevant state and federal laws or industry standards, or protecting customers’ sensitive information.

To do this effectively, companies must periodically conduct a data security risk assessment. This process allows organizations to know where they stand, identify pitfalls, and mitigate potential security risks before data breaches or other cyber incidents occur. This brief article provides tips on how organizations can complete a data security risk assessment from start to finish.

Before the Data Security Risk Assessment

Before organizations embark on a data security risk assessment, they need to establish clear parameters for the process. One important element to define is timing. For example, is the organization performing the assessment to satisfy specific regulations? Is it in response to an upgrade in business systems and processes? Is the assessment intended to address previously identified risks, including those uncovered during a cyber incident? These issues influence the timeframe necessary to complete data security risk assessments and how often the organization should perform them.

Similarly, the organization should clearly outline the assessment’s scope. Before beginning the risk assessment process, organizations should identify any legal and business obligations that they must fulfill. The organization should also choose their risk assessment methodology, which can include audits, vulnerability and asset scans, continuous monitoring, and penetration testing.  Companies should also consider factors such as their objectives, organizational culture, and available resources to select the most appropriate assessment method.

During the Data Security Risk Assessment

Organizations must collect information pertinent to the risk assessment’s defined scope and objectives. Strategies include interviewing relevant individuals; testing technical safeguards and documenting the results; collecting and reviewing existing policies, event logs, and other historical files; running automated scans; and gathering system details, such as current technical configurations.

The information gathered for a risk assessment may be even more specific in some cases. For example, organizations conducting risk assessments related to workplace compliance issues should also collect and review training records and management reports, and consider testing employees on their knowledge of security procedures and ability to withstand the temptation phishing emails present.

Companies will get a clear picture of what threats and vulnerabilities exist in their data security program, as they collect these details. This allows them to identify which risks they should address, prioritize when to fix them based on the likelihood that a breach or other cyber incident will occur, and understand the consequences the organization could suffer should an event actually take place.

Organizations should focus on the remedies available to them to address potential cyber threats. Some remedies may be policy-based, such as limiting the information employees can retrieve about customers, and quickly removing systems access for those who leave the business. Other remedies may be technology-based, such as encrypting laptops and mobile devices that store sensitive information and installing operating system and other software security patches in a timely manner.

After the Data Security Risk Assessment

Organizations should document their risk assessment findings and the cost and time required to address identified risks or compliance gaps. This report should also include information on the legal and industry obligations a company must fulfill and the groups that are responsible for resolving potential cyber risks.

For more information on conducting a data security risk assessment, sign up for a free trial or log on to Thomson Reuters Practical Law.

—

Practical Law provides legal know-how that gives lawyers a better starting point.  Our expert team of attorney editors creates and maintains thousands of practical resources across all major practice areas.  We go beyond primary law and traditional legal research to allow you to practice more efficiently and improve client service. Request your free trial today at TryPracticalLaw.com.