Risk assessment for your organization’s information security

This is possibly one of the most important steps toward preparing your organization for true security and not just paper security.  There are risk assessment templates that a data security team can use but what is relevant to an organization are the true risks related to their particular environment and assests.

A methodical approach is required so the security controls are applied to the right areas.  Information security cannot be managed based on perceived risks but on real risks.  The starting point perhaps is the culture of an organization itself.  People should be trained to think and accept that security risks are present.  They should be given the freedom to speak up. For instance, a project team should not hesitate to bring up any possible risks to the team lead while they are working on it.  These should then need to be tested and assessed.

As ‘Search Security’ refers to in their article, here are some basic steps you may want to follow to manage the area of Risk Assessment.

1. Identify company assets
2. Assign a value to each asset
3. Identify each asset’s vulnerabilities and associated threats
4. Calculate the risk for the identified assets
5. Identify necessary counter measures
6. Calculate costs to mitigate risks
7. Follow up with senior management to execute them
8. Add to the list as they grow
9. Repeat the above process as and when needed

Talk to Omega ATC if you are going through a PCI Compliance audit process and need help.  Call 636-557-7777.  Visit omegasecure.com  and find out how vulnerable your operation is.