Compliance Services / Risk Management

SCA and Its Place in Risk Management

Risk management comes in many shapes, sizes, frameworks, and implementations. The frequency of the act of performing a risk management assessment is dependent on the cost-benefit of performing the audit. Risk management is an actually simple idea with a complex methodology to achieve the goal: Quantify the vulnerabilities to your business and document the action taken against that vulnerability. This is in close relation to the idea of cost-benefit analysis, wherein all vulnerabilities are not equally likely to happen There are many tools and frameworks that exist to assist with your risk management needs. Some of the more popular ones are NIST Risk Management Framework (RMF), HITRUST, and Standardized Control Assessment (SCA). Each of these risk frameworks is a guide that will assist upper management in deciding on where to allocate resources, purchase additional insurance, or upgrade technology.

There are also two types of risk assessments:

Qualitative Risk Management

A qualitative risk assessment wherein vulnerabilities are assigned a respective value, making the assessment SUBJECTIVE. Typically, values assigned are LOW, MEDIUM, HIGH, and CRITICAL, which are assigned to a risk registry on several criteria including but not limited to the probability of occurrence, vulnerability impact, and mitigating solutions. This type of risk assessment does not include raw data valued numbers and is typically easier to perform, as relative values are assigned to various vulnerabilities.

Quantitative Risk Management

A quantitative risk assessment is an OBJECTIVE and more in-depth risk assessment where historical data and trends are analyzed, resulting in a numerical calculation of cost-benefit analysis. Risk Management project managers may determine via historical trends or current information, the relative costs of a vulnerability that may occur. Performing this type of analysis creates certain key terms explained below:

  • ALE: Annualized Loss Expectancy is the annual expected financial loss to an asset resulting from one specific threat.
  • SLE: Single Loss Expectancy is the expected financial loss due to the asset value (AV) multiplied by the exposure factor (EF). The SLE is coupled with Annualized Rate of Occurrence (ARO) to produce Annualized Loss Expectancy (ALE).
  • ARO: Annualized Rate of Occurrence is the number of times a threat to one single asset is estimated to occur.
  • EF: Exposure Factor is the probability that an event will occur and its likely magnitude, and equals the percentage of asset loss caused by the identified threat.
  • VaR: Value At Risk is a statistic that quantifies the extent of possible financial losses within a firm, portfolio, or position over a specific time frame.


Shared Assessments Standardized Control Assessment

The Santa Fe Group Standardized Control Assessment is a risk management audit that can be used to plan, scope, and perform third-party risk assessments to verify entities’ congruence with the standard and highlight areas of improvement for continued viability. The standardized control assessment takes industry best practices and applies risk management techniques to suppliers, vendors, and third-party service providers in an attempt to mitigate any threats to continued business. There are currently 18 risk domains that can be scoped into an organization’s individual needs such as:

Enterprise Risk Management

Security Policy

Organizational Security

Asset and Information Management

Human Resources Security

Physical and Environmental Security

IT Operations Management

Access Control

Application Security

Cybersecurity Incident Management

Operational Resilience

Compliance and Operational Risk

Endpoint Device Security

Network Security


Threat Management

Server Security

Cloud Hosting Services

The SCA is a qualitative risk assessment wherein the 18 risk domains are audited for policy, procedures, and processes to ensure that all areas are being addressed and appropriate information security governance is achieved. The SCA provides insight on threats that may not have previously been identified such as physical threats (energy/power requirements, ). The SCA observes major categories of risk that should be reviewed and agreed upon by management for continued operation.

Chapter 2 - Information Risk Management. In CISM Review Manual (15th ed., pp. 110–115).

Looking for a knowledgeable partner for your next audit?

MegaplanIT is an industry leader in risk management assessments designed to help your business achieve sustainable business processes and improve resiliency. We will always place your needs first by implementing industry best practices, delivering a custom assessment of the organization’s largest risk areas, and helping you effectively remediate them. Our team’s guidance, along with the SCA Report and tracking document deliverables, provides a standardized approach to collecting and reporting onsite assessment results. These assessments will assist your business in achieving sustainable business processes, making risk-based decisions, and improving cyber resilency.

We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!

Share this post

Industry Leading Certified Experts


Subscribe To Our Newsletter & Stay Up-To-Date

Explore Our Blogs

Whitepaper | 10 min Read

Developing An Effective Compliance Program

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.

New Service Offering | Contact Us

Ransomware Preparedness Assessment

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems. 

ResourceGuide | 8 min Read

Cybersecurity Roadmap For 2022

Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals. 

We're Here To Help

We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services. 

Make Our Team, Your Team!

Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.

Ransomware Assessment Preparedness

Cybersecurity Roadmap For 2022

Developing And Maintaining An Effective Compliance Program

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? 

A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business