Risk management is a necessary gauge to ensure a company follows current and relevant regulations, implements effective operations, and protects sensitive information and data. Based on size, a company appoints an individual or teams of individuals to be responsible for monitoring the effectiveness of the risk management posture and accompanying internal controls that are placed into the environment. Appointing a risk and internal controls expert(s) is critical to ensuring the company’s control measures are appropriate, sustainable, and effective. This requires a formal mapping exercise to determine if any gaps exist or inconsistencies occur between the matching of the risk to the control so these differences can be quickly addressed and amended.

Information Security Risk Assessment

By definition, controls are the people, processes, and solutions that prevent, detect, or correct the issues caused by unforeseen or unwanted risks. Controls must be established in order to determine what is to be protected, why it should be protected, how it should be protected, and how to measure how effective the protection is. If successful, controls have the potential to reduce risk and minimize waste and loss. Without controls in place to mitigate risk, the company increases its chances for unintended damages or external attacks resulting from various unforeseen or unexpected events.
There are three types of controls:

  • Preventive: internal controls that prevent an event that might affect the achievement of organizational objectives. For example, one type of preventive control is access control, which ensures that only authorized personnel have access to data, thereby preventing unauthorized users from access.
  • Detective: internal controls that detect if something improper has occurred. For example, regularly reviewing the activity of power users can detect if unusual activity is present while exception reporting calls attention to transactions that are significantly different than the norm.
  • Corrective: internal controls that correct an adverse event that has already occurred. For example, automatically restoring backups after a data base failure or disaster recovery plans in case of an unforeseen event or circumstance (like a flood).