TEST to main content First level navigation Menu
Young businesswoman sitting at desk, using computer

5 steps to conducting a content risk assessment

by David Gaffaney
 
From the government and healthcare organizations to Fortune 500 companies and small businesses, no one is exempt from threats of a security breach. More than 554 million data records were lost or stolen in the first half of 2016, a dramatic increase of 31% more breaches compared with the previous six months, research shows.1

Many organizations now realize they have little insight into their level of risk in this area and are reactively trying to understand where their data resides and how to control it. After a breach is the wrong time to find out. 
 

​In one media report after another, high profile companies have suffered through intellectual property leaks, employee and customer information breaches, and have watched their reputations erode on social media — in some cases, along with their stock price.

We don’t know what we don’t know

What information poses the greatest risk? This is a murky issue. Even for areas of known risk, such as email, there is often no consistent plan to address the exposure. To make matters worse, in today’s world of information explosion, new data is created, shared and stored daily — both on premise and in the cloud.

Methods for storing this information are often unmanaged and inconsistent. The challenge lies not only in enforcing compliance with policies for content storage and usage, but in running a discovery or audit. 
 

The purpose of a content risk assessment

The key to conquering content risk is having consistent, structured methods to identify, evaluate and prioritize areas of risk. Done properly, a content risk assessment can help you proactively plan for new or emerging media types, use proven methods that account for future growth and help ensure new sources do not corrupt systems or expose the enterprise.

The end result is knowledge and understanding of your risk, a plan to manage critical areas, and more overall clarity around information-driven processes across key business areas. 
 

5 steps to conducting a risk assessment

1. Uncover critical risk and exposure: Successful content risk management starts with determining which high-risk content is also exposed.

2. Ask risk-based questions: To identify high-risk content, ask questions such as: Is it personally identifiable information? Credit card information? Personal health information? Is it HIPAA-related? Is it commonly retrieved for audits (FDA, SEC, FERC, OSHA)? Does the content qualify as intellectual property?

3. Build evaluation results into a quadrant heat map: A heat map can function as a dashboard to show your current state and allow you to monitor your progress. On one axis, your heat map shows level of risk, and the other it shows your level of exposure.

Understanding your information risk

This white paper delivers in-depth, actionable tips that guide you through conducting your own content risk assessment. 
 
4. Prioritize areas of highest risk: Once this map is built, you have a clearer vision of high-risk areas. Use the assessment to develop a roadmap of high priority activities and define a mitigation plan for critical risk areas.

5. Align strategy with results: With your enterprise content risk assessment in place, you are well positioned to address the high risk areas and put in place a plan to manage critical areas.

With this, you have more clarity around information and processes across key business areas  and you are now truly in charge of your critical information assets. 
 
Author Icon
David Gaffaney is a Ricoh Global Technology Advisor for Governance and Risk Compliance, with more than 25 of experience in technology and strategic consulting. He develops governance strategies and ECM programs for organizations across industries, such as consumer energy, government, financial services, pharma / life sciences, insurance, consumer products and more.
 
 
1 Source: Gemalto 2016 Breach Level Index. http://breachlevelindex.com/assets/Breach-Level-Index-Report-H12016.pdf