Docstoc

Perform Effective Risk Assessment with IT Security & Compliance Software

Document Sample
Perform Effective Risk Assessment with IT Security & Compliance Software Powered By Docstoc
					           Perform Effective Risk Assessment with IT Security & Compliance Software


Risks and uncertainties are part and parcel of every business. However, it no way means that
enterprises cannot do anything to counter it. Enterprises can perform risk assessment to
mitigate the risks to acceptable levels. Risk assessment is the process of assessing, recording,
and managing risk according to industry standards / best practices. Given below is the 9-step
risk assessment process.


   1. System characterization that sets the boundaries of the IT system by identifying existing
       IT assets that include resources and the information that constitutes the asset and helps
       in setting the scope of the risk assessment.
   2. Threat Identification helps in determining the threat sources, potential vulnerabilities
       and existing controls.
   3. Vulnerability identification is to develop a list of system vulnerabilities (flaws or
       weaknesses) that could be exploited by the potential threat sources. Vulnerabilities will
       be identified by using vulnerability sources, performance of system security testing, and
       the development of a security checklist.
   4. Control Analysis to analyze the controls that have been implemented, or are planned for
       implementation by the organization to minimize or eliminate the likelihood (or
       probability) of a threat occurring. Control methods will include technical safeguards
       (access control, encryption, authentication mechanisms, etc.) and non-technical
       safeguards (such as policies, operational procedures, personnel, physical, and
       environmental security) and will include both the preventive and detective controls.
   5. Likelihood determination to consider the threat-source motivation, nature of
       vulnerability and existence and effectiveness of current controls categorized as high,
       Medium and Low.
   6. Impact analysis to measure the effect of the impact of the threat based on the system
       processes, system's value to the organization and data sensitivity covering both the
       qualitative and quantitative dimensions.
   7. Risk determination to assess the level of risk to the IT system expressed as a function of
       the likelihood of a given threat source exercising the vulnerability, the magnitude of the
       impact, and the adequacy of planned and existing security controls and reflected
       through a Risk-level matrix.
   8. Control recommendations that could mitigate or eliminate the identified risks as
       appropriate to the organization based on considering factors such as effectiveness of
       the recommended options, legislation, organizational policy, operational impact, safety
       and reliability.
   9. Results Documentation in the form of a risk assessment analytical report


Enterprises can perform risk assessment with effective IT security & compliance software. It
assesses risk through a systematic algorithmic analysis fine tuned to the regulatory
requirements. With its effective framework for defining and managing risks, risks are
categorized based on the nature of operations and levels of control. Depending on these
parameters the overall risk rating for each of the regulatory controls are set as Low, moderate,
High and very High.


Read more on - HIPAA/HITECH Compliance for Healthcare Organizations, Vendor Management
module

				
DOCUMENT INFO
Description: Risks and uncertainties are part and parcel of every business. However, it no way means that enterprises cannot do anything to counter it. Enterprises can perform risk assessment to mitigate the risks to acceptable levels.