Risk assessment is a complex topic beyond the scope of these few paragraphs, but it is at the heart of information...
In order to secure a system, you must determine the level of risk to it. The higher the level of risk, the more protection it needs. You don't want to spend your information security budget on protecting a low-risk system, you want to spend it on high-risk systems, those that might house sensitive customer data, or handle financial transactions, for example. While this may sound like common sense, few organizations adequately assess IT risk and end up indiscriminately squandering their budgets and resources poorly protecting their most sensitive IT assets and over protecting those of low value.
Roughly, risk assessment consists of reviewing three pieces of your IT infrastructure: threats, vulnerabilities and risk. For example, the threat could be a hacker gaining access to a database housing your customer information. The vulnerability is that the database is outdated and doesn't have the latest security patches installed. Therefore, the risk might be high because the system is unpatched, sits on an unprotected network without a firewall and is connected directly to the Internet.
This scenario is highly improbable in a company that has an experienced information security staff, but it still proves a point. Since we know the risk is high and very likely to occur, we know we need mitigating controls. We've assessed the risk and know where and how to secure our vulnerable IT asset. In this case, the risk assessment tells us to first patch the server, block the firewall ports accessing the server and sever its connection to the Internet.
Keep in mind, it's not just about IT risks and securing servers and Web sites. Compromised IT systems can result in loss of data, outages and malicious use, all of which can damage a business's reputation or worse.
For more information on risk assessments, visit the National Institute of Standards and Technology Web site at http://csrc.nist.gov. Their Computer Security Resource Center contains risk assessment methodologies widely used and recommended by information security professionals.
Dig Deeper on Enterprise Risk Management: Metrics and Assessments
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.