Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

3/15/2013
06:31 AM
Dark Reading
Dark Reading
Quick Hits
50%
50%

Assessing Risk In Your Enterprise Compliance Initiative

Measuring risk is an important part of many compliance projects. Here are some tips to help you do it right

[The following is excerpted from "Assessing Risk In Your Enterprise Compliance Initiative," a new report posted this week on Dark Reading's Compliance Tech Center.]

Compliance and risk are major concerns for any organization that operates in a regulated market. While compliance and risk overlap in certain areas, they are not the same thing.

Trying to determine where resources should be allocated -- and how one might affect the other -- can be a real challenge. Complicating things even further is the fact that some compliance efforts may actually create risk, rather than mitigate it.

Some compliance regulations include requirements that address risk. However, the requirements are often vague and, taken alone, will leave an organization vulnerable.

While an annual review is certainly a valuable exercise, such a review alone ignores the progressive nature of risk in any given organization over a period of time. Risk management isn't some checklist that you go through once a year. It's a living, evolving process that must be flexible enough to be effective in your ever-changing environment.

Further, simply identifying risk, and performing a risk assessment, doesn't address risk -- it only formalizes it. For example, given that PCI DSS addresses credit card data, the risk identification process should be relatively straightforward, but the mitigation of that risk may not be.

The first step is to examine your actual needs. Do you need to establish a risk assessment program because you're out of compliance, or do you need to perform a risk assessment according to standard compliance requirements?

Most organizations will need to both establish a risk assessment program based on compliance requirements and do so in a manner that brings the risk in the organization below the tolerance level. Depending on the particular regulatory standard you're trying to achieve compliance with, you should be able to utilize a standard risk assessment methodology to help achieve both of these goals.

However, while it's a good idea to come up with a master risk assessment methodology, the elements of the methodology should be flexible enough that they can be applied in a manner that is relevant to the data in question.

PCI DSS, for example, pertains only to card holder and related data, and risks to that data may be completely different from risks to the availability of a customer-facing service application.

So while the high-level steps in a risk assessment methodology may be the same, the details involved in implementing the steps can -- and often should -- be different.

To read more about the steps you need to take to measure risk -- and how to build risk assessment into your compliance initiative -- download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23394
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.