Skip to main content

Conducting a Risk Assessment

January 14, 2013

If companies could easily identify and understand all the types of risks to their business and could evaluate how to effectively mitigate those risks, then the world would be a much more boring place. Read on to learn how to address a risk assessment for data protection practices that could be applied to a number of information security standards including the Payment Card Industry Data Security Standard  (PCI DSS).*

First, establish a risk assessment team. Too often, an IT person is assigned to conduct a risk assessment that naturally, because of their role, becomes IT focused. While there are some technology risks that are addressed in this manner, the intent is an organizational risk assessment. Bringing the teams together and bridging that knowledge gap is a key action to conducting a risk assessment. 

Second, establish with the organization that protecting data is the primary goal and that all of the people processes, hardware, software and other technology are tools used to do something with the data. 

Third, identify operational and technical risks. Operational risks can include compliance, financial and reputational risks (i.e, what happens if data is exposed, lost or manipulated) and technology risks include all risks related to the use of IT (i.e., how do we ensure only authorized users have access to data).

Determining how to identify operational and technical risks can be broken down into these steps:

Step 1 – Identify and Map Business Processes

Work with business teams to identify what sensitive data they have access to, understand what processes interact with the sensitive data and develop process flow diagrams for the processes.

Step 2 – Determine what could go wrong

Some examples are employee theft of data, unauthorized access (both deliberate and accidental), unauthorized code changes, unexpected data manipulation or incorrect calculations, power outages and natural disasters.

Step 3 – Determine likelihood and impact

Impact evaluations can include both subjective and objective inputs from a number of resources (e.g., financial impact to a business includes regulatory or legal fees, loss of business and cost to recover).

Step 4 – Evaluate Controls in Place

Controls can be operational, such as change control and management approval stages, or technical, such as access control lists, running latest OS patches, IDS/IPS or anti-virus tools. Key controls are the primary mitigation tool and are required to provide reasonable assurance that a risk is effectively mitigated. Non-key controls are controls that can fail and may make your day interesting, but will not adversely affect the entire process. 

Step 5 – Are Existing Controls Appropriate

Re-evaluate the likelihood of the risk being realized if the controls are operating as intended.

Step 6 – Are Controls Operating Effectively

Examples include evaluating if the appropriate testing is completed, documented and approved prior to deploying software updates.

Step 7 – Management Alignment and Approval

Update business process owners and other executives in the processes about how the assessment was conducted and what the final results are. 

Step 8 – Monitor and Reporting

Implement some method of self-monitoring to ensure activities are carried out appropriately (e.g., periodic sample audit by a manager or senior member of the team).

Following these steps as a guide is a good place to start and as your program matures you will find the information to be both valuable and eye-opening. 


*PCI DSS Requirement 12.1.2 requires the Organization’s security policy include an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.


Related Blogs

December 16, 2011

PCI DSS and the Network Diagram

This post is designed to give a high level overview of what should be included in a network diagram and how to incorporate simple data flow indicators...

See Details

March 14, 2018

Observations on Smoke Tests – Part 1

Smoke testing in the traditional definition is most often used to assess the functionality of key software features to determine if they work or perfo...

See Details

January 14, 2013

Conducting a Risk Assessment

If companies could easily identify and understand all the types of risks to their business and could evaluate how to effectively mitigate those risks,...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.