Question 1

Has your organization performed a security risk assessment across the enterprise to identify threats to their critical data?

A threat could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of protected data (nonpublic information, sensitive data, PII, PHI, CUI, PCI, etc). A valid risk assessment is a comprehensive analysis of your organization's cybersecurity culture, policies, procedures and plans, which identifies security-centric risks and provides a detailed report of prioritized corrective actions. The outcome should be a snapshot of prioritized issues (risks), steps to mitigate those risks and a plan to implement the risk mitigation. Most standards require you to perform a valid and adequate risk assessment at LEAST every year. One misconception is that if you perform the assessment, regulators will fine you for all the non-compliant issues. In reality, they will give you credit for at least performing a risk assessment and having a plan to address them. Without a risk assessment, it shows regulators that you did not make an attempt to understand your risks as an organization!

1 / 12