Comprehensive risk assessments cover a broad range of potential issues, from location security to infrastructure security to data security to the risks of employees misappropriating or damaging data or systems.
Physical Security Assessment
How easy it for people to get physical access to your systems?
Do you have security at the entrances to the building?
Do you log visitors?
Are there security cameras in sensitive locations?
Do you have biometric locks on your server room?
Physical security assessments, including physical penetration testing, evaluate the ease with which a malicious actor can gain physical access to your critical systems.
IT Security Assessment
What is the state of your IT infrastructure? What network level security protocols do you have in place? How are you ensuring compliance with shared security responsibilities in cloud services?
IT security assessments investigate the overall health over your IT infrastructure and communications pathways.
They identify broad system vulnerabilities that are not specific to particular applications or data storage facilities, as well as misconfiguration issues that frequently leave companies open to attack.
Data Security Assessment
Is company data subject to least privilege and/or zero trust access controls?
Do you use network segmentation to limit data access?
Do you have strong identity management processes?
Data security assessments consider the ease and breadth of access to corporate data.
They identify areas where companies should apply new controls to restrict access to data on an as needed basis.
Read More: 9 Data Security Strategies & Best Practices For 2022
Application Security Assessment
Do company applications conform to security-by-design and privacy-by-design principles?
Have you performed white and black box testing of your applications?
Is application access subject to least privilege control?
Application security assessments consider application vulnerabilities at every level from the code itself to who has access to the applications.
They allow companies to strengthen their applications and limit access to that needed for employees to perform their jobs.
Insider Threat Assessment
Many, if not most, attacks arise from insider threats. However, many companies do not realize that insider threats go beyond employees that are intentionally trying to steal information or damage systems.
First of all, insider threats are not limited to people. They can include unapproved hardware that is not subject to a BYOD policy. They can also include outdated hardware.
Insider threats also need be neither intentional nor malicious. Negligence and unintentional threats can cause just as much harm as intentional ones.
A perfect example is using “password” as your password.
An increasingly common insider threat that many companies do not recognize is the advanced persistent threat (APT).
APTs, which are often used by state-sponsored cybercriminals or corporate espionage professionals, are long-term, targeted network insertions.
Often, careless or uninformed employees are the attack vector for an APT, with phishing emails being one of the most common ways attackers get access to company networks.
You may walk around your workplace to observe processes, operations and work activities. Look out for safety and health risks that could harm your employee or affect their health and well-being. You should consider the following hazard categories:
Hazard category
Example
Physical
- Fire
- Noise
- Ergonomics
- Heat
- Radiation
Mechanical
- Moving parts
- Rotating parts
Electrical
- Voltage
- Current
- Static charge
- Magnetic fields
Chemical
- Flammables
- Toxics
- Corrosives
- Reactive materials
Biological
- Pathogens
Psychosocial
- Mental stress and fatigue
- Remote or isolated work
You may need to provide additional considerations if you employ individuals who are more susceptible to work hazards. This includes individuals with medical issues or conditions, aged individuals and pregnant women. Also, you should consider the following work-related factors when identifying potential hazards:
Work-related Factors
Examples
Proximity of hazardous activities to one another
Employees doing assembly work next to noisy stamping machines may be exposed to excessive noise too.
Compatibility of work activities
Hot work and spray painting are incompatible work activities. There is a fire risk if they are carried out near to each other.
Non-routine work activities and situations
Maintenance work and shut-down operations may introduce additional hazards that have not been identified as part of routine work activities.
Work environment
Working outdoors during adverse environmental conditions such as haze may cause respiratory problems among employees.
Risk Control
After you've evaluated the risks of each hazard, you should take appropriate action to eliminate or minimise those risks. Reasonably practicable measures should be taken to protect people from harm.
You should select your risk control measures based on the Hierarchy of Control. Upstream risk controls (e.g. elimination, substitution and engineering controls) are more effective in reducing or controlling risk, and should be considered first.
Above: Hierarchy of Control.
You should consider using a combination of control measures from the Hierarchy of Control as no single measure is usually sufficient to control the risk. For example, engineering controls need to be implemented together with administrative controls such as training and safe work procedures to address the hazard sufficiently.
Personal protective equipment (PPE) should be explored only after upstream risk controls have been considered, as a short-term contingency during emergency, maintenance, repair or as an additional protective measure against residual risks. The effectiveness of PPE depends greatly on whether it is chosen and fitted correctly, worn at all times and maintained properly.
For hazards that cannot be controlled immediately, interim control measures should be implemented while establishing longer term measures to reduce the risk level. Work should not start if the risk remains high.