A security risk assessment is an assessment of the information security risks posed by the applications and technologies an organization develops and uses.

An important part of enterprise risk management, the security risk assessment process involves identifying potential threats to information systems, devices, applications, and networks; conducting a risk analysis for each identified risk; and pinpointing security controls to mitigate or avoid these threats.

Risk assessment models typically involve these elements:

  • Identifying the organization’s critical technology assets as well as the sensitive data those devices create, store, or transmit
  • Creating a risk profile for each asset
  • Assessing cybersecurity risks for all critical assets
  • Mapping all critical assets’ interconnections
  • Prioritizing which assets to address after an IT security breach
  • Developing a mitigation plan with security controls for each risk
  • Preventing or minimizing attacks and vulnerabilities
  • Monitoring risks, threats, and vulnerabilities on an ongoing basis.

Security risk assessments are important not just for cybersecurity but also for regulatory compliance. The Sarbanes-Oxley Act (SOX) and the Health Information Portability and Accountability Act (HIPAA) requires periodic security risk assessments. The National Institute of Standards and Technology’s (NIST) Special Publication 800-53, Guide for Conducting Risk Assessments, provides a framework for the risk assessment process.