Compliance and risk are major concerns for any organization that operates in a regulated market. While compliance and risk overlap in certain areas, they are not the same thing.
Trying to determine where resources should be allocated -- and how one might affect the other -- can be a real challenge. Complicating things even further is the fact that some compliance efforts may actually create risk, rather than mitigate it.
Some compliance regulations include requirements that address risk. However, the requirements are often vague and, taken alone, will leave an organization vulnerable.
While an annual review is certainly a valuable exercise, such a review alone ignores the progressive nature of risk in any given organization over a period of time. Risk management isn't some checklist that you go through once a year. It's a living, evolving process that must be flexible enough to be effective in your ever-changing environment.
Further, simply identifying risk, and performing a risk assessment, doesn't address risk -- it only formalizes it. For example, given that PCI DSS addresses credit card data, the risk identification process should be relatively straightforward, but the mitigation of that risk may not be.
The first step is to examine your actual needs. Do you need to establish a risk assessment program because you're out of compliance, or do you need to perform a risk assessment according to standard compliance requirements?
Most organizations will need to both establish a risk assessment program based on compliance requirements and do so in a manner that brings the risk in the organization below the tolerance level. Depending on the particular regulatory standard you're trying to achieve compliance with, you should be able to utilize a standard risk assessment methodology to help achieve both of these goals.
However, while it's a good idea to come up with a master risk assessment methodology, the elements of the methodology should be flexible enough that they can be applied in a manner that is relevant to the data in question.
PCI DSS, for example, pertains only to card holder and related data, and risks to that data may be completely different from risks to the availability of a customer-facing service application.
So while the high-level steps in a risk assessment methodology may be the same, the details involved in implementing the steps can -- and often should -- be different.
To read more about the steps you need to take to measure risk -- and how to build risk assessment into your compliance initiative -- download the free report.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.