A security risk assessment identifies, assesses, and implements key security controls in applications. It also focuses on preventing application security defects and vulnerabilities. Carrying out a risk assessment allows an organization to view the application portfolio holistically—from an attacker’s perspective. It supports managers in making informed resource allocation, tooling, and security control implementation decisions. Thus, conducting an assessment is an integral part of an organization’s risk management process.
Factors such as size, growth rate, resources, and asset portfolio affect the depth of risk assessment models. Organizations can carry out generalized assessments when experiencing budget or time constraints. However, generalized assessments don’t necessarily provide the detailed mappings between assets, associated threats, identified risks, impact, and mitigating controls.
If generalized assessment results don’t provide enough of a correlation between these areas, a more in-depth assessment is necessary.
A comprehensive security assessment allows an organization to:
It’s important to understand that a security risk assessment isn’t a one-time security project. Rather, it’s a continuous activity that should be conducted at least once every other year. Continuous assessment provides an organization with a current and up-to-date snapshot of threats and risks to which it is exposed.
At Black Duck, we recommend annual assessments of critical assets with a higher impact and likelihood of risks. The assessment process creates and collects a variety of valuable information. A few examples include:
Most organizations require some level of personally identifiable information (PII) or personal health information (PHI) for business operations. This information comes from partners, clients, and customers. Information such as social security number, tax identification number, date of birth, driver’s license number, passport details, medical history, etc. are all considered confidential information.
As such, organizations creating, storing, or transmitting confidential data should undergo a risk assessment. Risk assessments are required by a number of laws, regulations, and standards. Some of the governing bodies that require security risk assessments include HIPAA, PCI-DSS, the Massachusetts General Law Chapter 93H 201 CMR 17.00 regulation, the Sarbanes-Oxley Audit Standard 5, and the Federal Information Security Management Act (FISMA).
Organizations often question the need for compliance and adherence to these regulations. At Black Duck, we feel that an organization is required to undergo a security risk assessment to remain compliant with a unified set of security controls. Controls that are implemented and agreed upon by such governing bodies.
In fact, these controls are accepted and implemented across multiple industries. They provide a platform to weigh the overall security posture of an organization. Governing entities also recommend performing an assessment for any asset containing confidential data. Assessments should take place bi-annually, annually, or at any major release or update.
