While there are commonalities to most risk assessments, companies in regulated industries that store sensitive customer data must follow additional government-mandated protocols. The overall goal is to gain an understanding, from an end-to-end perspective, of what the current risk is to your environment. However, a full Security Assessment can be targeted against compliance-related areas, like PCI or HIPAA.\nRisk AssessmentHere are some common assessment procedures for BYOD and cloud risks that apply to any business, and a brief outline of requirements, with links to further information, for businesses with special data-protection needs.\nBYOD\nAs mobile devices proliferate and their capabilities evolve rapidly, risk assessments must be reevaluated frequently. BYOD risks center around five main categories:\n\nLost or stolen devices \u2013 May be mitigated by \u201cwipe\u201d policy, but relies on employees to report\nDevice security \u2013 Varies across devices; some may lack encryption\nData access \u2013 Is access tiered on a \u201cneed to know\u201d basis?\nAuthentication \u2013 Are password\/pin requirements in place?\nApp risk\/presence of malware \u2013 May be mitigated by app virtualization or sandboxing\n\nCloud\nAssessing cloud security means rating the cloud provider\u2019s policies and systems. Here are some main areas to consider:\n\nAccess \u2013 What controls are in place for admins with access to your data, including oversight and absence?\nData security \u2013 What security and patching policies are in place? In the case of multi-tenancy, how is data segregated?\nData ownership and location \u2013 What procedures are in place if the provider moves or goes out of business?\nSystem reliability\/disaster recovery \u2013 What are mechanisms and lag times for restoration?Regulatory compliance \u2013 Audit records must be followed regularly; customer is ultimately responsible for data integrity\n\nPCI\nCompanies that accept payment cards must abide by PCI Data Security Standards, including Requirement 12.1.2 governing risk assessment. An SSL certificate does not fulfill requirements for this rule. PCI businesses must verify that they have an annual risk assessment that identifies threats, vulnerabilities, and results. They must verify that they review the annual security policy and update it when the environment changes.\nHIPAA\nCompanies governed by the Health Insurance Portability and Accountability Act (HIPAA) must conduct a risk assessment in compliance with HIPAA\u2019s physical, administrative, and technical standards for securing protected health information. The government has created a security risk assessment tool to guide users through the process. Materials are updated annually.\nPII\nPersonally identifiable information (PII) is any data that can be used to identify a specific individual. There are two kinds: non-sensitive, which is available in public data bases, and sensitive, which could cause harm to individuals if released. Sensitive PII, including medical and financial data and unique identifiers such as Social Security Numbers, should be encrypted both in transit and at rest. Companies are responsible for determining which data is sensitive PII and abiding by laws and industry standards for protecting it.