Identity Theft Risk Analysis
Identity theft risk analysis is a major component of a risk management program which takes into consideration threats, internal controls, and impact. Companies periodically perform risk assessments because they want to identify whether there are any recurring and new business risks which are not yet know to management and must be addressed. Risks which have previously been identified through a variety of means such as internal discussions, communications and observations as well as formal risk assessments by internal and external parties, are either addressed by management through an action plan, transferred to third parties such as liability insurance companies, or ignored by management requiring no risk reduction action. Risks which have been previously addressed by management through risks reduction activities, should therefore not even appear in the new risk assessment results unless the threat has evolved or the controls have been reduced, eliminated or bypassed and ignored.
Specific identity theft risk analysis is especially important to organizations where a huge number of customer personal information is collected, maintained, shared and retained. This type of specific risk assessment is very focused and often attempts to address a very specific risk or comply with regulatory requirements. For example, US companies which maintain consumer financial or health information must perform privacy risks assessments under the provisions of GLBA and HIPAA respectively. Organizations identified under the Red Flags Rule must also perform specific and periodic identity theft risks analysis in order to update their identity theft prevention program.
Any risk assessment takes into consideration threats, internal controls, and impact to identify risks. For example, an identity theft risk analysis may identify a document theft as possible threats. Such threats are rated for occurrence probability which will be reflected in the final risk rating. For simplicity sake, let’s just say that a document theft by internal employee is rated 10 from a possible rating of 1 to 10. In this scenario, we decide to continue the process and assess the control for this threat which can prevent and detect the threat. If our assessment determines that there are no controls to counter the threat such as locked office door or cameras for monitoring which can reduce the threat rating, then we maintain the threat rating of 10 and move to the impact analysis. At this point, I would like to state that impact assessment and rating could have been combined with the threat assessment and rating however, I purposefully decided to separate the impact from the threat in order to simplify the identity theft risks analysis process for this article. As we assess the impact of a stolen document, we add the impact rating to the threat rating to identify and report a final risk rating. If the impact is rated 5 from a possible ratings of 1 to 10, we add this to the threat (10) minus control (0) rating and reach a total risk rating of 15 from a possible maximum 20 risk rating.
This risk rating process can be incorporated into the identity theft risks analysis process to make accept, ignore or transfer decisions and prioritize the risk management action plan.
Visit Identity Management Institute for identity theft risk analysis training and compliance solutions.