Data security is primarily a risk management issue, rather than a technical issue, therefore responsibility ultimately belongs to the asset owner or, in larger companies, Executive Management staff. They are the ones who will have to answer for a potential data breach involving confidential and personally identifiable information. This could result in the loss of personal assets following lawsuits and other legal ramifications.
The short answer is that the level of risk management and associated security controls needed to safeguard data is based on the level of risk your organization can afford. Security is an ever-evolving challenge and most organizations need a security risk management plan that is based on periodic risk assessments and ongoing monitoring and management.
A Risk Assessment is one of the key components of an organizational risk management process as described in NIST Special Publication 800-39. Risk assessments identify, prioritize, and estimate risk to organizational operations (i.e., mission, functions, image, and reputation) resulting from the operation and use of information systems.
A Risk Assessment performed by CyberRisk Management establishes a Risk Profile for your organization and includes a professional Gap Analysis identifying any missing security controls. These findings and recommendations are then prioritized based on your Risk Profile. A Security Risk Management Plan is also included as part of this Risk Assessment engagement.
Because risk management is an ongoing process, organizations should evaluate risks and vulnerabilities in their environments on an annual basis, and implement policies and procedures, as well as appropriate security controls to address those risks and vulnerabilities in order to provide an effective risk management process.
Security needs depend on what assets you have at risk: client information, intellectual property, etc. The protection of any consumer data (payroll, loan, tax returns, patient record, credit card number, etc.) is regulated, regardless of the industry. Many small businesses may have more compliance requirements than they actually realize. Even if not subject to law suits or fines resulting from a data breach, the impact on business reputation can be equally disastrous for a business, regardless of their size (48 states have passed Data Breach notification laws which impact all organizations). Once you determine your risk, you can determine what you need to worry about from an IT security standpoint.
A vulnerability scan can identify known vulnerabilities and potential risk levels at a single point in time. However, periodic vulnerability scans alone do not adequately address a client’s risk management needs. A security risk assessment involves a much more comprehensive review of risk factors and probability of occurrence, as well as an analysis of existing IT security controls. It can also provide the basis for an annual security management plan.