While there are commonalities to most risk assessments, companies in regulated industries that store sensitive customer data must follow additional government-mandated protocols. The overall goal is to gain an understanding, from an end-to-end perspective, of what the current risk is to your environment. However, a full Security Assessment can be targeted against compliance-related areas, like PCI or HIPAA.
Here are some common assessment procedures for BYOD and cloud risks that apply to any business, and a brief outline of requirements, with links to further information, for businesses with special data-protection needs.
As mobile devices proliferate and their capabilities evolve rapidly, risk assessments must be reevaluated frequently. BYOD risks center around five main categories:
- Lost or stolen devices – May be mitigated by “wipe” policy, but relies on employees to report
- Device security – Varies across devices; some may lack encryption
- Data access – Is access tiered on a “need to know” basis?
- Authentication – Are password/pin requirements in place?
- App risk/presence of malware – May be mitigated by app virtualization or sandboxing
Assessing cloud security means rating the cloud provider’s policies and systems. Here are some main areas to consider:
- Access – What controls are in place for admins with access to your data, including oversight and absence?
- Data security – What security and patching policies are in place? In the case of multi-tenancy, how is data segregated?
- Data ownership and location – What procedures are in place if the provider moves or goes out of business?
- System reliability/disaster recovery – What are mechanisms and lag times for restoration?
- Regulatory compliance – Audit records must be followed regularly; customer is ultimately responsible for data integrity
Companies that accept payment cards must abide by PCI Data Security Standards, including Requirement 12.1.2 governing risk assessment. An SSL certificate does not fulfill requirements for this rule. PCI businesses must verify that they have an annual risk assessment that identifies threats, vulnerabilities, and results. They must verify that they review the annual security policy and update it when the environment changes.
Companies governed by the Health Insurance Portability and Accountability Act (HIPAA) must conduct a risk assessment in compliance with HIPAA’s physical, administrative, and technical standards for securing protected health information. The government has created a security risk assessment tool to guide users through the process. Materials are updated annually.
Personally identifiable information (PII) is any data that can be used to identify a specific individual. There are two kinds: non-sensitive, which is available in public data bases, and sensitive, which could cause harm to individuals if released. Sensitive PII, including medical and financial data and unique identifiers such as Social Security Numbers, should be encrypted both in transit and at rest. Companies are responsible for determining which data is sensitive PII and abiding by laws and industry standards for protecting it.