The most frequent question we hear from clients who want to develop or tighten their data privacy and security policies and procedures: Where do we start?
In most cases, the first step for the group charged with this task is to understand the organization’s "information risk." This means, in short, examining what information the company has, the nature of that information, how it moves through the organization and to/from its vendors, and the company’s current set of safeguards. The process for gaining this understanding is generally referred to as a risk assessment.
Risk assessments come in many forms and should be designed to fit your particular organization.