Transforming Security Culture through Risk Assessments

A number of regulations, such as HIPAA, require an institution to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of sensitive data and systems handling this data. Our session provides a framework that can be used to jump-start a risk assessment program at an organization. This session focuses on implementing a program by focusing on key infrastructure elements first and standardizing the risk analysis based on evaluating a threat, its likelihood, and impact to an organization. In addition, we cover the importance of identifying the organizational risk appetite so that risk findings do not overwhelm the teams tasked with addressing or mitigating the risk findings, and we provide some lessons learned from tracking risk findings in a risk register.