Question 1

Has your organization performed a security risk assessment to identify threats to your protected data?

A threat could result in unauthorized access, transmission, disclosure, misuse, alteration or destruction of protected data (nonpublic information, sensitive data, PII, PHI, CUI, PCI, etc). A valid risk assessment is a comprehensive analysis of your organizations cybersecurity culture, policies, procedures and plans, which identifies risks and provides a detailed report of prioritized corrective actions. The outcome should be a report, prioritized issues (risks), steps to mitigate those risks and a plan to implement the risk mitigation. Most standards require you to perform a valid and adequate risk assessment every year or two years. One misconception is that if you perform the assessment the government will fine you for all the non-compliant issues. They will actually give you credit for at least performing a risk assessment, without one you will be fined.

1 / 12