Risk assessment is a complex topic beyond the scope of these few paragraphs, but it is at the heart of information security.
In order to secure a system, you must determine the level of risk to it. The higher the level of risk, the more protection it needs. You don't want to spend your information security budget on protecting a low-risk system, you want to spend it on high-risk systems, those that might house sensitive customer data, or handle financial transactions, for example. While this may sound like common sense, few organizations adequately assess IT risk and end up indiscriminately squandering their budgets and resources poorly protecting their most sensitive IT assets and over protecting those of low value.
Roughly, risk assessment consists of reviewing three pieces of your IT infrastructure: threats, vulnerabilities and risk. For example, the threat could be a hacker gaining access to a database housing your customer information. The vulnerability is that the database is outdated and doesn't have the latest security patches installed. Therefore, the risk might be high because the system is unpatched, sits on an unprotected network without a firewall and is connected directly to the Internet.
This scenario is highly improbable in a company that has an experienced information security staff, but it still proves a point. Since we know the risk is high and very likely to occur, we know we need mitigating controls. We've assessed the risk and know where and how to secure our vulnerable IT asset. In this case, the risk assessment tells us to first patch the server, block the firewall ports accessing the server and sever its connection to the Internet.
Keep in mind, it's not just about IT risks and securing servers and Web sites. Compromised IT systems can result in loss of data, outages and malicious use, all of which can damage a business's reputation or worse.
For more information on risk assessments, visit the National Institute of Standards and Technology Web site at http://csrc.nist.gov. Their Computer Security Resource Center contains risk assessment methodologies widely used and recommended by information security professionals.
This was first published in July 2006