Risk Assessments are a lot like physicals. Though you don’t necessarily look forward to either, you know you need both. And when you get a clean bill of health or receive feedback on improvements you can make for a healthier body or system, you’re glad you did it.

At LBMC Information Security, our job is to take our clients painlessly through the audit process. It’s our job to ensure your data and your network are both safe and secure. With the development of our new risk assessment platform, BALLAST, we can not only deliver a thorough and easy-to-read risk assessment, but we can now also make the remediation process simple and efficient.

Before we talk about how BALLAST can change the way you look at risk assessments, let’s talk about:

  1.    Why risk assessments are important to auditors
  2.    Why the traditional risk assessment process can be difficult

Why Risk Assessments Are Important to Auditors

Beyond demonstrating that an organization is paying attention to security, requests for artifacts around the risk assessment process find their way into audit programs because auditors love to build on tried and true standards.

Here are a few of the standards and regulations that mandate risk analysis in the IT security realm.

  1.    SOC Principles CC3 (and new SSAE 18 standards)
  2.    ISO 27001:2013 8.2 & 8.3
  3.    COBIT EDM03 & APO12
  4.    COSO Risk Assessment Domain
  5.    FISMA (NIST 800-53 R4) RA (entire domain)
  6.    NIST Cybersecurity Framework ID.GV, ID.RA1-6, ID.RM 1-3
  7.    PCI DSS 10.6.2 & 12.2
  8.    HIPAA Security Rule Risk Management Process

This list is by no means exhaustive. Just about every significant framework or regulatory mandate around information security includes a requirement for risk assessment (or risk analysis) as part of a broader risk management program. So, there you have it. That’s how it made its way into their audit program.

What Makes the Risk Assessment Audit Process So Difficult?

Despite the fact that risk assessments are mandated by security standards—and we intuitively know that we need them—it can still be difficult to produce the artifacts auditors want.

Here are a few reasons why:

  1. Reliance on manual processes (spreadsheets and interviews)
  2. It’s difficult to easily engage all the stakeholders who need to participate.
  3. They don’t generate actionable data.
  4. They take too much time away from our other tasks.
  5. Typically, nothing happens after the assessment.

All of these issues together make the IT audit process a lot more arduous than it should be for you and the auditor who will have to write up an exception this year related to risk assessment documentation.

Eliminate the Guesswork (and Annoying Work) with BALLAST

At LBMC Information Security, we’ve had years of experience working alongside IT professionals through the risk assessment and audit process. We’ve seen the challenges first hand. Seeing all the work IT pros had to do in order to pull together risk management artifacts is one of the primary reasons we created BALLAST.

With BALLAST, we wanted to make the IT audit process more enjoyable by helping you:

  • Provide IT auditors with the exact information they need based on your business and industry.
  • Avoid expensive security technologies that really don’t address actual risks.
  • Justify additional resources (human and technical) to mitigate actual areas of weakness.
  • Ensure great program visibility to executive stakeholders.
  • Enhance the security of your organization.
  • Achieve compliance with important standards, and, in some industries, regulatory mandates.

In the end, we wanted to use our experience to develop an easy way to eliminate the guesswork…and annoying work…of IT audits.

Click here to take a free product tour and learn more about how BALLAST can help you manage the risk assessment process. 

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.