Management How-To Guide
Information to perform the Security Risk Assessment (SRA)
The SRA is designed to get a comprehensive report of your overall level of risk and provide recommendations intended to lower those levels of risk.
Before you begin your risk assessment, here are a few Frequently Asked Questions you’ll want to look at:
Q: If I’m not 100% sure of my answer, does it matter?
A: The goal of a Security Risk Assessment is to analyze your organization for any security gaps or weaknesses that cybercriminals could exploit to access your network. It is in your best interest to be as thorough and accurate in your Risk Assessment responses as possible.
Q: I really don’t know how to answer this question. What if my information is inaccurate?
A: Accurate information will enable our team to produce the most appropriate findings and recommendations on your Risk Assessment report. This will also allow for your organization to assess how we can better protect you and your business. Providing incorrect information will result in an inaccurate Risk Assessment which can lead to lost time and money on unnecessary recommendations. In addition, in the event of an audit situation, any information which cannot be fully supported in your Risk Assessment may result in additional penalties. Please contact us if you need any assistance with providing information or answering questions.
Q: Do you share my answers with any other party?
A: No, the information you provide in our portal is confidential and will not be shared with any other party.
Steps to Performing your Security Risk Assessment (SRA)
Step 1: Using your Manager account credentials, log into the PII-Protect portal here.
Note: Individuals registered as Employees will be unable to access the Security Risk Assessment and should be upgraded to Manager access.
Step 2: Once you log into the portal, click on the “My Company” application at the left. Then, select the “SRA” tab.
Step 3: It’s time to fill out the Organization Profile. Do this by selecting the Step 01 line for the Organization Profile.
– Completing the Organization Profile is a way for you to give us information about your company, such as which systems contain Personally Identifiable Information (PII).
– Once you have filled in all the necessary information in each tab, (Note: there are a total of 6 sections [tabs] that must be completed) click save. Note: You can click save at any time to save the information you have entered and continue filling out the Organization Profile at a later time.
Step 4: Once you have completed the Organization Profile, the next step is to answer the Security Risk Assessment questions. To begin, click on Step 02 line to begin.
Note: If you are no longer in the Security Risk Assessment (SRA) section of the portal, you will need to return to this section to begin the questionnaire.
Step 5: The Risk Assessment questionnaire asks specific questions on how you are currently protecting Personally Identifiable Information (PII). Each question has a detailed explanation to help you choose the appropriate answer.
– A completed question will be labeled with a green checkmark and incomplete questions will be left blank to illustrate that some questions have not yet been answered.
– Once you have gone through each of the questions and ensured that a green checkmark appears on each question, click Submit.
Note: Similar to the Organization Profile, you can save your answers and pick back up where you left off at a later time.
!! Important: All information must be filled out in the Organization Profile and all questions must be answered in order for us to complete your Risk Assessment. Please ensure that all required sections have been completed before marking your Risk Assessment complete.
Step 6 (optional): The next step in the Risk Assessment process is to upload any existing written Policies and Procedures that your organization may have.
Note: To upload policies, click on the “Policies” tab. New Policies can be added here or in the “Other Policies” section using the dropdown.
– Note: if you do not have any existing policies regarding how your organization protects PII (I.e. employee termination policy, data backup policy, disaster recovery procedure, etc.), this section can be skipped.
Step 7: The final step in the process is to let us know that you have finished entering all the information in each of the required sections by marking your Risk Assessment complete.
– From the Perform Risk Assessment section of the portal, select the Mark Complete slider in Step 04.
– A pop-up will appear confirming that you wish to mark your Risk Assessment complete.
– Click Agree.
After you have marked the Risk Assessment complete, we will receive notification that you have completed your portion of the Risk Assessment. We will then begin producing your Risk Assessment report and will notify you once it has been completed.
If you have any questions, feel free to use the Contact Us page within the portal in the “Edit Profile” section or with the ? at the bottom left.