Conducting a Risk Assessment: Key Components You Can't Ignore

By John Clark ·

If companies could easily identify and understand all the types of risks to their business and could evaluate how to effectively mitigate those risks, then the world would be a much more boring place. Read on to learn how to address a risk assessment for data protection practices that could be applied to a number of information security standards including the Payment Card Industry Data Security Standard  (PCI DSS)[1].

First, establish a risk assessment team. Too often, an IT person is assigned to conduct a risk assessment that naturally, because of their role, becomes IT focused. While there are some technology risks that are addressed in this manner, the intent is an organizational risk assessment. Bringing the teams together and bridging that knowledge gap is a key action to conducting a risk assessment. 

Second, establish with the organization that protecting data is the primary goal and that all of the people processes, hardware, software and other technology are tools used to do something with the data. 

Third, identify operational and technical risks. Operational risks can include compliance, financial and reputational risks (i.e, what happens if data is exposed, lost or manipulated) and technology risks include all risks related to the use of IT (i.e., how do we ensure only authorized users have access to data).

Determining how to identify operational and technical risks can be broken down into these steps:

Step 1 – Identify and Map Business Processes

Work with business teams to identify what sensitive data they have access to, understand what processes interact with the sensitive data and develop process flow diagrams for the processes.

Step 2 – Determine what could go wrong

Some examples are employee theft of data, unauthorized access (both deliberate and accidental), unauthorized code changes, unexpected data manipulation or incorrect calculations, power outages and natural disasters.

Step 3 – Determine likelihood and impact

Impact evaluations can include both subjective and objective inputs from a number of resources (e.g., financial impact to a business includes regulatory or legal fees, loss of business and cost to recover).

Step 4 – Evaluate Controls in Place

Controls can be operational, such as change control and management approval stages, or technical, such as access control lists, running latest OS patches, IDS/IPS or anti-virus tools. Key controls are the primary mitigation tool and are required to provide reasonable assurance that a risk is effectively mitigated. Non-key controls are controls that can fail and may make your day interesting, but will not adversely affect the entire process. 

Step 5 – Are Existing Controls Appropriate

Re-evaluate the likelihood of the risk being realized if the controls are operating as intended.

Step 6 – Are Controls Operating Effectively

Examples include evaluating if the appropriate testing is completed, documented and approved prior to deploying software updates.

Step 7 – Management Alignment and Approval

Update business process owners and other executives in the processes about how the assessment was conducted and what the final results are. 

Step 8 – Monitor and Reporting

Implement some method of self-monitoring to ensure activities are carried out appropriately (e.g., periodic sample audit by a manager or senior member of the team).

Following these steps as a guide is a good place to start and as your program matures you will find the information to be both valuable and eye-opening. For more information and a more detailed description of how to conduct a risk assessment, click here for the Conducting a Risk Assessment white paper.


[1] PCI DSS Requirement 12.1.2 requires the Organization’s security policy include an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.