Disgruntled employees, hackers, incompetent personnel, and competitors engaged in corporate espionage are all concerns for a business. Even more concerning is what they can do to your data. Theft, corruption, errors, or complete data loss are reason enough to possibly lose some sleep at night. This is why every business must be cognizant of the potential risks to their information. This doesn’t just refer to financial data but also key information needed to continue being a viable entity. Customer lists, proprietary information about products or services, and contracts that give the business a competitive advantage all fall within this group. In order to ensure that data is safe, an information security risk assessment should be conducted at least on an annual basis.
Even before a risk assessment is conducted, the business will need to determine a set of baseline standards related to data security that it should meet. These standards will look at things like access rights, password protocols, physical controls over equipment, policies and procedures for the business and many other items. Once these standards are set, then the risk assessment should look at the following areas:
1. What information sources does the business have and what information comes from those sources?
2. How sensitive is each data source? Does it contain information that if breached would become a legal issue (like credit card information or employee data)? Is it commercially important to the business? Or is it just “run of the mill” information that if disclosed would not cause any harm?
3. What would be the business impact if the data source was compromised, lost or stolen?
4. What is the level of threat and degree of vulnerability to each data source from internal attacks, external attacks, system malfunctions, process changes or regulatory requirements?
5. What is the likelihood of an incident in each of these areas occurring?
6. What are the specific risks in each of these areas that can be identified?
On the surface, this might seem a daunting task but if you assess the top four or five data sources for the business, this will usually flush out most of the major issues.
This process is usually driven by the Internal Audit department but if your company doesn’t have one, it may be the responsibility of ensuring the assessment is done will fall to the finance & accounting department. However, this doesn’t mean you should be the only ones involved in the assessment. Getting input from all functional areas of the company is important. Also, this isn’t and shouldn’t be an exercise conducted by the IT department alone. Although our friends in IT are usually on top of what’s happening in the business from a data perspective, this assessment is more than just making sure password protocols and firewalls are in place. The assessment speaks to the entire business process and should be treated as such.
There is also another very good reason to involve others. It is important to get consensus from within the business about what data is most vital to ongoing operations. Everyone thinks their information is important but in the big picture, some data sources will be heads and shoulders above the rest. These are the data sources that need to be examined with a critical eye and it makes the process easier when everyone has agreed to this.
As the risk assessment is completed, it will highlight areas of concern and a list of things to be done to improve data security will result. Some of these things will be IT-related but the list may also include efforts by the HR department to write up policies and update employee handbooks, or require department managers to educate their employees about new procedures. By considering the analysis on data sensitivity, business impact, threat and vulnerability, and likelihood, this list can be prioritized to drive the work to the biggest issues first. The end result is hopefully more secure data and a few less sleepless nights.