5 steps to conducting a content risk assessment

From the government and healthcare organizations to Fortune 500 companies and small businesses, no one is exempt from threats of a security breach. More than 554 million data records were lost or stolen in the first half of 2016, a dramatic increase of 31% more breaches compared with the previous six months, research shows.¹

Many organizations now realize they have little insight into their level of risk in this area and are reactively trying to understand where their data resides and how to control it. After a breach is the wrong time to find out.

We don’t know what we don’t know

What information poses the greatest risk? This is a murky issue. Even for areas of known risk, such as email, there is often no consistent plan to address the exposure. To make matters worse, in today’s world of information explosion, new data is created, shared and stored daily — both on premise and in the cloud.

Methods for storing this information are often unmanaged and inconsistent. The challenge lies not only in enforcing compliance with policies for content storage and usage, but in running a discovery or audit.

The purpose of a content risk assessment

The key to conquering content risk is having consistent, structured methods to identify, evaluate and prioritize areas of risk. Done properly, a content risk assessment can help you proactively plan for new or emerging media types, use proven methods that account for future growth and help ensure new sources do not corrupt systems or expose the enterprise.

The end result is knowledge and understanding of your risk, a plan to manage critical areas, and more overall clarity around information-driven processes across key business areas.

5 steps to conducting a risk assessment

1. Uncover critical risk and exposure: Successful content risk management starts with determining which high-risk content is also exposed.

2. Ask risk-based questions: To identify high-risk content, ask questions such as: Is it personally identifiable information? Credit card information? Personal health information? Is it HIPAA-related? Is it commonly retrieved for audits (FDA, SEC, FERC, OSHA)? Does the content qualify as intellectual property?

3. Build evaluation results into a quadrant heat map: A heat map can function as a dashboard to show your current state and allow you to monitor your progress. On one axis, your heat map shows level of risk, and the other it shows your level of exposure.

4. Prioritize areas of highest risk: Once this map is built, you have a clearer vision of high-risk areas. Use the assessment to develop a roadmap of high priority activities and define a mitigation plan for critical risk areas.

5. Align strategy with results: With your enterprise content risk assessment in place, you are well positioned to address the high risk areas and put in place a plan to manage critical areas.

With this, you have more clarity around information and processes across key business areas — and you are now truly in charge of your critical information assets.