![Free eBooks of IT [BooksOfAll]](https://www.booksofall.com/wp-content/uploads/2022/06/booksofall-logo-2.png){kind=logo}
Whether simple or complex the goal of an effective security or risk assessment is to identify internal or external weaknesses and/or vulnerabilities associated with an information system (both traditional IT and IoT), and determine the level of compliance with a given standard as well as evaluate the degree of risk such weakness or vulnerability poses to a system.
A security assessment differs from a risk assessment in that it assesses compliance whereas risk assessment evaluates the impact and likelihood of a threat to a information system.
Regardless of Sector or Industry, whether “traditional” IT or IoT the first step towards protecting information is identifying the systems which store, transmit or manipulate it and assessing their level of security and/or risk.
The Shared Challenge of Security & Risk Assessment in Cybersecurity
In some ways, conducting a security or risk assessment has shifted from a relatively straightforward task to a complex undertaking. Hosted and Cloud-based computing stand out as having contributed to this increased complexity due to their design and architecture.
For example, it used to be that an application was (or could be) developed, hosted and maintained by a single company or organization. Since hardware and software resources would be under a company’s direct control, oversight and access to information needed for a security or risk assessment was readily available and easily mapped to security requirements. With the advent of distributed/Cloud computing, however, information about an application’s operation, performance and security are split among one or more organizations. The responsibility for security then becomes “shared” and identifying who is responsible for what (and when) may result in “gaps” in needed information. Moreover, since no two companies or organizations are alike (or operate alike) their approach to information and system security may be quite different. The challenge, therefore, in a distributed technology environment becomes how to best apply a common set of security standards or requirements uniformly in order to produce an accurate and balanced assessment.
In healthcare the federal government addresses the issue of shared-responsibility in Part 1, Section 13401 of the HITECH Act. It applies HIPAA’s Administrative, Physical and Technical Safeguard provisions to any Business Associate (BA) who handles Electronic Protected Health Information (ePHI). Moreover, it makes Business Associates responsible for the protection of sensitive information “in the same manner that such sections apply to the Covered Entity”
Since each company or organization (Covered Entity or Business Associate) are required to meet the same level of security, assessment is simplified since security requirements are applied equally regardless of business relationship.
Similar regulations (PCI, SOX) apply to other industries such as Finance, Manufacturing and Energy.
Regardless of industry or sector the responsibility to protect sensitive information (whatever its purpose) is born equally by any company or organization which has access to or otherwise “touches” (create, store, manipulate, transmit) sensitive or controlled data.
In shared-security systems the requirements for Security/Risk Assessment do not change but the ability to (accurately) evaluate such system may. It becomes essential then that the processes and methods used for assessing security in this type of environment be based on established guidelines or recognized industry-standards.
