Special Risk Circumstances While there are commonalities to most risk assessments, companies in regulated industries that store sensitive customer data must follow additional government-mandated protocols. The overall goal is to gain an understanding, from an end-to-end perspective, of what the current risk is to your environment. However, a full Security Assessment can be targeted against compliance-related areas, like PCI or HIPAA. Risk AssessmentHere are some common assessment procedures for BYOD and cloud risks that apply to any business, and a brief outline of requirements, with links to further information, for businesses with special data-protection needs. BYOD As mobile devices proliferate and their capabilities evolve rapidly, risk assessments must be reevaluated frequently. BYOD risks center around five main categories: Lost or stolen devices – May be mitigated by “wipe” policy, but relies on employees to report Device security – Varies across devices; some may lack encryption Data access – Is access tiered on a “need to know” basis? Authentication – Are password/pin requirements in place? App risk/presence of malware – May be mitigated by app virtualization or sandboxing Cloud Assessing cloud security means rating the cloud provider’s policies and systems. Here are some main areas to consider: Access – What controls are in place for admins with access to your data, including oversight and absence? Data security – What security and patching policies are in place? In the case of multi-tenancy, how is data segregated? Data ownership and location – What procedures are in place if the provider moves or goes out of business? System reliability/disaster recovery – What are mechanisms and lag times for restoration? Regulatory compliance – Audit records must be followed regularly; customer is ultimately responsible for data integrity PCI Companies that accept payment cards must abide by PCI Data Security Standards, including Requirement 12.1.2 governing risk assessment. An SSL certificate does not fulfill requirements for this rule. PCI businesses must verify that they have an annual risk assessment that identifies threats, vulnerabilities, and results. They must verify that they review the annual security policy and update it when the environment changes. HIPAA Companies governed by the Health Insurance Portability and Accountability Act (HIPAA) must conduct a risk assessment in compliance with HIPAA’s physical, administrative, and technical standards for securing protected health information. The government has created a security risk assessment tool to guide users through the process. Materials are updated annually. PII Personally identifiable information (PII) is any data that can be used to identify a specific individual. There are two kinds: non-sensitive, which is available in public data bases, and sensitive, which could cause harm to individuals if released. Sensitive PII, including medical and financial data and unique identifiers such as Social Security Numbers, should be encrypted both in transit and at rest. Companies are responsible for determining which data is sensitive PII and abiding by laws and industry standards for protecting it. Related content brandpost Creating a Truly Immersive, Connected Fan Experience By Tim Allen Oct 04, 2017 1 min Consumer Electronics brandpost 6 Reasons to Modernize with Intel® and Microsoft By Dave Olivier Sep 28, 2017 4 mins Enterprise Applications brandpost Simplified Global IT Procurement By Jamal Khan Sep 22, 2017 1 min Technology Industry brandpost Funding Education Technology for Students with Disabilities How technology can support students with disabilitiesrn By Lisa Trisciani Sep 13, 2017 1 min Technology Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe