Three Categories Regulators Expect Your Risk Assessment To Fall Under

By Hana LaRock | CEO Best Practices

Jun 06

Up until now, when auditors and regulators of cyber-security came to companies, most of the time they would just ask to see whether an assessment was done. It was even less likely that they would have asked the details of that assessment. But, now, that’s starting to change.

Some companies these days have gotten into trouble with auditors and regulators because even though they had done an assessment, the assessment was either not as comprehensive as it should have been or the company didn’t act on the risks that the assessment reported.

If you want to make sure your risk assessment is done correctly, then you must make sure it falls under one of these three categories:

1) Standardized:

There are many different kinds of risk assessments out there, and what you use will depend on a lot of factors. First of all, it depends on what kind of business you’re in and how much a hack could affect the lives of your customers and employees. Of course, there are some businesses that are held up to higher standards than others when it comes to an auditor’s discretion. That being said, you should always set the security bar high for yourself no matter what, this way you know you’ll be safe.

Whatever route you decide to go with your risk assessment, you should ask the organization that’s doing it whether or not the test they choose to perform is standardized; meaning if the test were repeated again at your business or another, it would produce (more or less) the same results. At the very least, the assessment should yield the same, specific kind of information across the board.

2) Relevant:

As mentioned before, a test that’s done for one company may not work for another. If your third-party is running the same assessment on your small e-commerce site that’s it’s doing on a multi-million dollar health insurance company, that could very well be a red flag.

Some of the assessments you may have heard of include, but are not limited to, FAIR, OCTAVE, FMEA, etc. Some fall into the category of qualitative assessments, while others fall into the category of quantitative. This means that some assessments will look at data and other factors over a long period of time, while others are simply based on an expert’s opinion. The results of these assessments can be expressed in different ways, usually referring to the various direct or indirect costs.

When the assessment is done, it should be able to answer key questions that are relative to your business. What vulnerabilities do you have in your system? What could be causing the threat? What kind of damage are you looking at if these threats take hold? And, of course, how to fix it.

3) Explicit:

So, if auditors and regulators are starting to ask more questions, don’t you want to be ready with more answers? If you happen to have an auditor come knocking on your door that wants to know much more than whether or not you’ve simply done on an assessment, then you need to be prepared. What we’re trying to say is, your assessment shouldn’t merely report the date you had it done, when you’re due for a next one, and by whom was it administered.

Instead, your assessment needs to have explicit information and data on it that will be satisfactory to the potential auditor. If you want to get a heads up about what an auditor might look for, speak to the organization that will be conducting your assessment.

Remember, even if you go through all this work to have the right assessment done for your company in the eyes of the auditors, it won’t mean much if you’ve left that assessment report in a pile of papers on your desk. In addition to making sure your assessment falls into one of these three categories, you also need to address anything that assessment uncovers; immediately. Also, make sure you continue to get assessments done regularly in order to stay on top of your security.

In the meantime, try our RiskAware™ Cyber Security Scan & Report to see where your security currently stands.