Maintain and update your risk and cybersecurity assessment
Cyber criminals are constantly enhancing and diversifying the tools and tactics they use to gain access to sensitive systems and data.
Your organization could fall victim to a cyberattack if you don’t fully understand the threats and risks or if you fall victim to myths like thinking you’re too small to be a target, your firewalls and antivirus are protection enough, or the use of outsourced or cloud providers eliminates your risk.
When you perform regular risk and cyber assessments, you gain the information necessary to make informed and effective risk management decisions.
- Update your risk assessment: It’s important to identify and periodically update the areas within and the types of risk assessment needed by your organization — and especially any required by regulatory or statutory expectations.
- Integrate reporting: Risk and cybersecurity assessment reporting should be integrated into key reports to senior management and the board of directors, as well as updated periodically (annually is recommended), so they can make informed decisions.
Use your assessment results to make risk management decisions: Effective risk management is possible only when you have risk and cybersecurity assessment results tailored to your organization and can make decisions using the guidance provided by your organization’s board-approved, mission-based risk appetite statements. This allows you to better decide whether to avoid, mitigate or hold specific risks.