We have all seen the red, yellow, and green used on security risk assessments to indicate high, medium, and low levels of risk. It is common with DIY security risk assessment tools used to satisfy HIPAA compliance. It’s time to retire this methodology.
Information risk management has matured and risk mitigation strategies are improving almost as fast as threats are evolving. A comprehensive security risk assessment will have hundreds of controls to evaluate. The successive security risk assessment report and risk management plan will therefore have many items to consider for mitigation and may involve multiple people or departments. If a mitigation plan has dozens of high and medium vulnerabilities, it makes it difficult to prioritize what to do first.
A better method is to use a point system like what is offered through the S2Score risk assessment tool. This allows you to put together a granular plan and associate resources and timelines to each control implementation. This also allows you to measure your security efforts and show improvements based on daily activity.
There are many ways to utilize the S2Score tool. Organizations can conduct self-assessments for as little as $1,200. These can then be validated by a certified DueNorth analyst for an additional cost. There is also a free risk assessment estimator available HERE.