Access "Overcoming obstacles in the security risk assessment process "
This article is part of the November 2011 issue of Effectively navigating the security risk assessment process
Information security risk assessments are a fundamental building block of any security program, much like security awareness training, policies, procedures, and technical safeguards. A risk assessment program is required by several regulations such as HIPAA, SOX, and FISMA. Risk assessment is also an essential element of all security standard bodies of generally accepted security practices such as ISO, COBIT, and NIST. Ideally, an effective risk assessment program should ensure necessary security controls are in place or put in place based on the information risks or threats that an organization faces. The risk assessment process should identify and prioritize any gaps found. In other words, an effective risk assessment program should drive an organization’s security initiatives and its program. However, security risks assessments are subjective exercises. Risk assessments can be inadvertently and advertently skewed based on interpretations and result in not implementing necessary security controls. Reluctance to spend money, perform unplanned activities ... Access >>>
Premium Content for Free.
PCI council developing point-to-point encryption certification program
by Robert Westervelt
PCI Security Standards Council plans to release a list of certified components in April.
VDI security supports active protection strategies
by Eric Ogren, Contributor
ISM November 2011 cover story: Eric Ogren on how virtual desktop infrastructure enhances compliance, data protection and malware protection.
- PCI council developing point-to-point encryption certification program by Robert Westervelt
Overcoming obstacles in the security risk assessment process
by Craig Shumard and Serge Beaulieu
An effective risk assessment process is essential, but many factors can skew the process and get in the way of security.
Cybersecurity threats target lack of SMB security
by Amy Rogers Nazarov
Cybercriminals are zeroing in on small and midsize businesses with fewer security resources.
- Overcoming obstacles in the security risk assessment process by Craig Shumard and Serge Beaulieu
Marcus Ranum chat: Information security monitoring
by Marcus J. Ranum, Contributor
Security expert and Information Security magazine columnist Marcus Ranum talks to Richard Bejtlich, CSO and vice president, Mandiant Computer Incident Response Team (MCIRT) at security firm Mandiant.
The lack of computer security: We’re all responsible
by Elizabeth Martin
We all have an explanation for weak security, but everyone needs to do their part to improve it.
Time for discourse on China computer hacking
by Michael S. Mimoso, Editorial Director
China is being accused of hacking corporate, government and military networks in the U.S. for economic gain. Policy makers need to be versed in cybersecurity and figure out how to respond.
- Marcus Ranum chat: Information security monitoring by Marcus J. Ranum, Contributor
More Premium Content Accessible For Free
Deploying data protection technologies properly requires a lot of time and patience. While most firms can get started by using preconfigured policies...
The bring your own device (BYOD) movement, which has flooded the enterprise with employee-owned smartphones, tablets, phablets and purse-sized ...
For so long penetration testing meant hiring an expert to use skill and savvy to try to infiltrate the company system. But, as with most ...