Home / Resources / News and Trends / Industry News / 2022 / Does Your Organization Need a Security Risk Assessment

Does Your Organization Need a Security Risk Assessment?

Author: Ron Schmittling, CISA, CIA, CPA/CITP, and Anthony Munns, CISA, CIRM, CITP, FBCS, NCC-U
Date Published: 19 August 2022

Although regulations do not instruct organizations on how to control or secure their systems, they do require that systems be secured and that the organization prove that it has effective security and control infrastructure in place. Enterprise risk management (ERM)1 is critical to any organization that aims to achieve this. The enterprise risk assessment methodology has become an established approach to identifying and managing systemic risk for an organization. This approach is increasingly being applied in diverse fields such as environmental Superfund,2 health3 and corporate ratings.4

Historically, IT security risk has been viewed as the responsibility of the IT or network staff, as those individuals have the best understanding of the components of the control infrastructure. Moreover, security risk assessments have typically been performed within the IT department with little or no input from others. This approach has limitations. As systems have become more complex, integrated and connected to third parties, the security and controls budget quickly reaches its limitations. Therefore, to ensure best use of the available resources, IT should understand the relative significance of different sets of systems, applications, data, storage and communication mechanisms. To meet such requirements, organizations should perform security risk assessments that employ the enterprise risk assessment approach and include all stakeholders to ensure that all aspects of the IT organization are addressed, including hardware and software, employee awareness training, and business processes.

Perform security risk assessments that employ the enterprise risk assessment approach and include all stakeholders.

Why Perform a Security Risk Assessment?

Organizations have many reasons for taking a proactive and repetitive approach to addressing information security concerns. Legal and regulatory requirements aimed at protecting sensitive or personal data, as well as general public security requirements, create an expectation for companies of all sizes to devote the utmost attention and priority to information security risks. An IT security risk assessment takes on many names and can vary greatly in terms of method, rigor and scope, but the core goal remains the same: identify and quantify the risks to the organization’s information assets. This information is used to determine how best to mitigate those risks and effectively preserve the organization’s mission.

Some areas of rationale for performing an enterprise security risk assessment include:

  • Cost justification—Added security usually involves additional expense. Since this does not generate easily identifiable income, justifying the expense is often difficult. An effective IT security risk assessment process should educate key business managers on the most critical risks associated with the use of technology, and automatically and directly provide justification for security investments.
  • Productivity—Enterprise security risk assessments should improve the productivity of IT operations, security and audit. By taking steps to formalize a review, create a review structure, collect security knowledge within the system’s knowledge base and implement self-analysis features, the risk assessment can boost productivity.
  • Breaking barriers—To be most effective, security must be addressed by organizational management as well as the IT staff. Organizational management is responsible for making decisions that relate to the appropriate level of security for the organization. The IT staff, on the other hand, is responsible for making decisions that relate to the implementation of the specific security requirements for systems, applications, data and controls.
  • Self-analysis—The enterprise security risk assessment system must always be simple enough to use, without the need for any security knowledge or IT expertise. This will allow management to take ownership of security for the organization’s systems, applications and data. It also enables security to become a more significant part of an organization’s culture.
  • Communication—By acquiring information from multiple parts of an organization, an enterprise security risk assessment boosts communication and expedites decision-making.

The enterprise risk assessment and enterprise risk management processes comprise the heart of the information security framework. Depending on the size and complexity of an organization’s IT environment, it may become clear that what is needed is not so much a thorough and itemized assessment of precise values and risks, but a more general prioritization.

Security risk assessment should be a continuous activity. A comprehensive enterprise security risk assessment should be conducted at least once every two years to explore the risks associated with the organization’s information systems. An enterprise security risk assessment can only give a snapshot of the risks of the information systems at a particular point in time. For mission-critical information systems, it is highly recommended to conduct a security risk assessment more frequently, if not continuously.

Editor’s Note

This article is excerpted from an article that appeared in the ISACA® Journal. Read the full article, “Performing a Security Risk Assessment,” in vol. 1, 2010, of the ISACA Journal.

Endnotes

1 The COSO Enterprise Risk Management—Integrated Framework, published in 2004, defines ERM as a “…process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
2 US Environmental Protection Agency (EPA), “What Is Risk Assessment?,” USA
3 Office of Environmental Health Hazard Assessment, A Guide to Health Risk Assessment, US State of California Environmental Protection Agency, USA
4 Standard & Poor’s, RatingsDirect Global Credit Portal, 7 May 2008

Ron Schmittling, CISA, CIA, CPA/CITP

Is a manager in the risk services practice at Brown Smith Wallace LLC, where he leads the IT security and privacy practice. Schmittling’s more than 16 years of experience also include more than 5 years in senior-level technical leadership roles at a major financial services firm and positions in IT audit, internal audit and consulting for several international organizations.

Anthony Munns, CISA, CIRM, CITP, FBCS, NCC-U

Is coleader of the Brown Smith Wallace risk services practice. Prior to joining the organization, he led Arthur Andersen’s St. Louis, Missouri, USA-based risk consulting practice and led the Great Plains (USA) regional business systems audit practice. His specialty is bringing larger enterprise practices to small and medium-sized enterprises. In his more than 20-year career, Munns has managed and audited the implementation and support of enterprise systems and processes including SAP, PeopleSoft, Lawson, JD Edwards and custom client/server systems.