Risk Profile and Security Maturity
Every product is classified into risk categories based on factors such as what types of and the extent of data it processes, the state of its technology, which markets it operates in and what threats we see through our intelligence services.
The first step in the SSA is to complete the “risk profile”. We sometimes call this “inherent risk”, because these are risks that we cannot wholly mitigate or reduce, because they are inherent to a particular market or activity. For example, a system processing financial data has a different risk profile than one processing health information. We also look at the categories and volume of data, and certain technological factors such as whether the system is deployed in a cloud environment.
As a result of its risk profile and other factors, each product is assigned a minimum Security Maturity tier. This further ensures a minimum level of security based on the general or “inherent” risk of operating the system.
The idea behind assessing the inherent risk first, is that the team is aware of this as they progress through the rest of the SSA, before arriving at the risk assessment at the very end.