Many industries require proof that confidential data is being kept in a secure environment.  Every major security framework and regulatory mandate lists a risk assessment as the first step in building out a compliant security program, but the process does not stop there. Organizations must commit to a building and executing plans for remediation in order to resolve issues and stay compliant.

Key compliance drivers for risk assessments vary from industry to industry.


The healthcare industry is entrusted daily with patient information and must appropriately handle all data with the highest level of security. Hospitals, urgent care centers, physician practices and surgery centers, just to name a few, must stay within HIPAA compliance.  The lack of a risk analysis as part of a broader risk management strategy is one of the areas most often cited by the HHS office of civil rights as they investigate and audit compliance with HIPAA.  Furthermore, for organizations participating in Meaningful Use, a risk analysis is part of the required core objectives for protecting ePHI.


Banks, credit unions, and other financial institutions manage millions of pieces of secure financial and personal data each day. Regulating bodies such as the OCC and FFEIC monitor and require that all compliance guidelines are being met at all times.  Regulators and examiners will want to see your risk assessment when they come calling.


It does not matter if you are a big box store or a small boutique, all retail organizations must comply by securing all cardholder data. The Payment Card Industry Data Security Standard (PCI DSS) is a set of industry standards designed to ensure all companies who accept, process and store credit card information keep that data secure.  Risk management is a key component of PCI.


Just because you don’t fall into one of the first three industries discussed, that does not mean you are not required to maintain secure data. A risk assessment is required in order to build a quality security program.  If your organization is seeking to build its security program around a framework of accepted best practices such as ISO 27001/2, NIST 800-53, or SOC 2 TSP, all of these have risk assessment and management as part of their framework.

Looking for a better way to ensure compliance and manage risks? Contact us today to learn what BALLAST can do to improve your cybersecurity posture.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.