Risk assessment methodology: Anatomy of the risk assessment process

A risk assessment will provide focused information about threats, how well you're protected against those threats and what's missing from your security program.

Risk assessments provide a detailed report on the current state of your enterprise's security posture and create a road map for correcting deficiencies.

They can be focused on specific aspects of your security infrastructure, such as the effectiveness of the protective measures around critical database servers; or they can be organization-wide evaluations, such as assessing the effectiveness of the overall security program.

In either case, the risk assessment has two basic parts: technical and policy/procedures.

Assessors often use methods such as penetration tests and vulnerability scans to measure the technical aspects of a security program. They'll measure how well your program patches vulnerable servers, maintains firewall rule sets and updates IDS signatures. They'll also show how easy or difficult it would be for a worm to infect your network or for a hacker to compromise data.

Assessors will measure your organization's compliance with its own security policy, as well as laws, regulations and industry standards. Your risk assessment should first determine if you're complying with the letter of the law and if you're aligned with the best practices at comparable organizations.

While internal security teams can perform a risk assessment, it's often prudent to contract an independent party to conduct the evaluation. Outside auditors bring their breadth of knowledge and experience from working with other companies. They're also unencumbered by company politics and are free to give an honest, unbiased assessment.

A risk assessment generally results in a written report and a management presentation. The report will detail findings and recommendations, providing management with information that can then be used to develop action plans and budgets and facilitate staffing and training needs.

This was first published in March 2004

Dig deeper on Enterprise Risk Management: Metrics and Assessments

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close