Is Your Security Risk Assessment (SRA) Valid?

We're often told, "I've done a security risk assessment," or "We had one of those done by a company."  When we ask if they have 1) an SRA report, 2) a risk management plan with prioritized corrective actions, 3) a disaster recovery plan, 4) an emergency response plan, 5) a breach notification plan, 6) current training and in use, 7) current policies and procedures; we get blank stares.  We've also performed SRAs after some of the large, "known" compliance consulting firms have performed an SRA.  What we find is that they have done a very poor job of actually creating for you, the client, a clear, easy to use, gap analysis of what you must do to protect your data.

First of all, forget about being compliant, that is NOT the goal.  The goal is to protect your clients' personal data which in turn will protect your business from suffering a costly breach.  How do you protect your clients' data, you might ask?  Start with a valid security risk assessment that actually checks that you are doing the correct things to protect the valuable data (PHI, PCI, PII, UCI, personal data, etc.)

  1. Answer every question honestly.
    1. Make sure you meet the current requirements of HIPAA, HITECH, and the omnibus rule.
      1. Policies and Procedures have to be written or updated after 2013.
      2. Business Associate agreement has to be written or updated after 2013.
      3. An SRA must be performed annually and after each breach occurs.
  2. Ask for verification from IT or your MSP about the following:
    1. Actually perform a computer operating system assessment.  This will help you know whether your computers have been hardened and what to correct on each type of operating system.
    2. Proof that the backups can be restored.
    3. An inventory listing of every piece of equipment on the network.
    4. A data flow diagram of every place sensitive data exists; not just where it is known to exist, search and discovery everywhere it exists.
    5. Also note, penetration testing, network inventory, data inventory, network vulnerability testing should all be Standard Operating Procedures, not just part of your assessment.
  3. Take the results of the assessment and create an action item list in prioritized order of risk.


Key signs the company is NOT offering you a current, useful or valid Security Risk Assessment

  1. It's performed on paper.  Seriously, it's 2018.  We've had personal computers for over 35 years; we've had the web application over 20 years.
  2. It's in a spreadsheet.  A little better, but do they merge all of the questions and provide a prioritized list of corrective actions?  (A risk management plan.)
  3. Do they offer any assistance in remediation or do they leave you with a document that you don't know how to use to improve your data security?

Think before you spend your valuable money on an assessment that won't help you protect your data.

If your organization needs a security risk assessment, compliance management plan, or cyber security plan; or you have concerns about your cyber security and would like to improve your cyber confidence and compliance, please contact us at:

Protect your Clients. Protect your Organization. Protect Yourself.™

Robert Felps
About the Author

Innovative problem solver. Robert Felps takes a holistic view of the situation, understanding the business objectives, then architects a solution that exceeds the expectations for much less than standard industry solutions would cost.

%d bloggers like this: