When should Security Risk Assessments be Performed?

Security risk assessments should be performed anytime that a risk is perceived in the organization when the risk has not been previously assessed. A risk assessment should also be done anytime a risk is changed when it is not due to an implementation of a mitigating control.

A need for security risk assessments may become evident during:

  • An audit
  • Strategic planning
  • Project planning
  • Business planning
  • Annual business reviews

Security risk assessments should be performed due to any of the circumstances listed.

  • If a risk assessment of any systems or applications has never been done.
  • Anytime a new system is being developed. The risk assessment is done both at the start and the end of the project as a minimum. This means it is done before major design work is complete and done during the testing phase just prior to production.
  • Anytime a currently operating system is being upgraded with significant new features. This includes when the project or application(s) associated with the project are modified enough to add, remove, or modify data such that the sensitivity and security requirements may change. The risk assessment should be done early prior to major design and again prior to changes being implemented in production.
  • A new system is being purchased from a vendor or will be operated through a vendor.
  • A risk is percieved that has not been previously assessed.
  • When the security classification of the data used on the system is changed.
  • A risk assessment should be done or reviewed no less often than every two years.