With this brief and explanatory introduction, we can see why it is important and why it shouldn’t be seen as just another requirement. Currently, many organizations have allowed the creation of highly costly security breaches by neglecting to update the risk assessment process. These types of events should make us think about how we are protecting our assets as a company against any incident that may occur at any moment, and what measures we are evaluating to keep our protection systems up to date.
For an efficient risk assessment, these points are key:
- Identify: Know what the assets that can be categorized as critical by the company in the technology area look like.
- Evaluate: Establish clear measures that must be met by the assets in order to identify the existing security risks,
- Mitigate: Determine a key point to mitigate a possible event.
- Prevent: Establish pre-assessed processes and appropriate tools to reduce vulnerabilities that may occur.
The doubts that arise from time to time are related to the periodicity of this event, as is the risk assessment. New threats emerge on the web every day, so how often would risk assessment be necessary?
As an example, we can be guided by the HIPAA Risk Assessment (Health Insurance Portability and Accountability Act) created in 1996. This risk assessment establishes the assessment based on these three purposes:
- To protect you from discrimination in the workplace due to your medical history.
- To give you more control over your healthcare decisions by giving you insight into how certain treatments may affect other aspects of your life.
- HIPAA ensures that when an organization shares somebody else’s health care record it is secured from prying eyes.
Based on these objectives, HIPAA states that risk assessment in that sector should be performed at least every two years, depending on the circumstances in which the entity finds itself.
The importance of the risk assessment lies in the value of each step within it, as well as its constant updating and renewal if necessary. Therefore, the number of times it is conditioned to the organization that wishes to carry it out, never going to the extreme of not carrying it out if it is desired to maintain a safe environment for the assets and other processes.