When it comes to protecting an organization’s information, flaws with this can involve either implementing strong technology to protect too much trivial data, or inadequate protection of important and sensitive data.
A thorough risk assessment is warranted in these cases. Once all the risks are identified, strategies can be created by personnel to prioritize risk minimization. This is risk management.
Risk has several components: assets, threats and weaknesses. Businesses must address (risk-assess) all components—internally, rather than externally by outsourcing.
A risk assessment identifies all potential risks, then analyzes what might happen in the event of a hazard.
A BIA (business impact analysis) is the process by which potential impacts are determined that result from the impediment of critical business activities. With a BIA, the results of disrupted business processes (which can include losses or delayed deliveries, among many others) are predicted; information is collected to come up with recovery strategies.
The objective is to maximize cost/benefit: identify the most relevant risks and reduce them with minimal investment.
The strategy is to determine what risks this company may face in a given year (e.g., digitized information, reputation, paper documents, employee safety).
Next is to formulate a list of possible sources of threats (employees, hackers, customers and competitors, to name some) based on the experiences of many in the organization. There are also risk assessment plan guidelines online.
Then next is a risk assessment chart. A list of assets must be compiled (e.g., employees, machinery/equipment, IT, raw materials, etc.) in a left column. Then opposite each asset, put down its associated hazards that could yield an impact. Each hazard is broken down into high probability-low impact and low probability-high impact.
Review the impacts for vulnerabilities that may make the asset prone to a loss. Here you’ll find opportunities for threat prevention or mitigation. Probability of occurrence can be specified with L for low, M for medium, H for high.
Information from the BIA would go towards rating the impact on “Operations.” Make an “entity” column for estimations of potential impacts (e.g., financial, brand/reputation, contractual). “Overall Hazard Rating” combines “probability of occurrence” and the highest scoring that impacts operations, employees, property, etc.
A worst case scenario? Do nothing. After all, a failure to plan is a planned failure.
Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.
ROBERT SICILIANO, CEO of IDTheftSecurity.com is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Siciliano is accessible, real, professional, and ready to weigh in and comment at a moment's notice on breaking news.
- How Small Businesses Can Evaluate Their Security Risks in the New Year
Evaluating risk vs. reward is a process most people go through on a daily basis. For example, you are about to make a left-hand turn but a car is coming. You think you can make it but he’s kind of coming fast. The risk, of course, is misjudging his speed and getting into an accident. At
- Risk Reduction: #1 Concern of Bank Boards
The Bank Director’s 2014 Risk Practices Survey reveals some very interesting information about the risk management programs that bank boards have in place. It’s classically challenging for many banks to assess how risk management practices affect the institution. However, banks that have worked at measuring the impact of a risk management program report favorable outcomes on
- 7 Small Business Social Media Risks
Many executives are concerned about social media related risks (e.g., data security and ID theft), but far fewer actually have any social media training. A recent survey of executives puts the concerns into four categories: disclosure of confidential information; damaged brand reputation; ID theft; and legal and compliance violations. Another feature that the survey unveiled was that
- HHS provides Healthcare Providers Risk Assessment Tools
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. Watch the Security Risk
- Pokemon Go a Network Malware Nightmare
Pokémon Go has taken the world by storm, even though it is nothing more than a silly little game that people play on their mobile device. And it is not just child’s play, either. Plenty of adults are hooked on Pokémon Go—including college degreed professionals who conduct business on company owned devices as well as