Introduction

Believe it or not, accurately describing the risk can be one of the hardest parts of any risk assessment. How many times have you had a so-called risk presented such as “the file transfer between the client and application doesn’t use encryption” or “that vendor doesn’t have an independent audit function?” Are these really risks? Is it really as easy as stating the lack of a control and calling it a risk? In actuality, this is merely a clear sign of an unseasoned assessor. Risk assessments are about more than running through checklists of controls and identifying gaps. Likewise, a risk assessment needs to have more substance ...