Once-A-Year Cyber Risk Assessments Aren't Enough
Many experts believe most organizations aren't assessing IT risks often enough.
Even though many compliance mandates such as HIPAA require risk assessments only be performed annually, that's not nearly often enough for most organizations, says Gary Alterson, director of risk and advisory services for Neohapsis.
Given the rapidly changing threat environment and how fast IT moves, I recommend that risk assessments be refreshed and reviewed at least quarterly, if not monthly," Alterson says.
But the reality is that most organizations today have a hard enough time keeping up with their annual risk assessments, says Jim Mapes, chief security officer at BestIT, which is why he says that organizations have to rethink the way they approach the process.
"A better approach is to make risk assessments more of a life cycle and process within the organization," he says. "Perform assessments continuously throughout the year, collecting data on new vulnerabilities, remediation of older vulnerabilities, and identification of problem areas where vulnerability could not be remediated and recording the business decision to mitigate the risk and impact to some other acceptable level."
Crucial to that evolution to a life cycle mentality is building time and resources into the IT life cycle for internal auditors, says Alterson's colleague, Nathaniel Couper-Noles, principle security consultant for NeoHapsis. According to Couper-Noles, one of the most common refrains he has heard from auditees is they're too busy for an internal audit. Read full story on Dark Reading
Post a comment to the original version of this story on Dark Reading