Q

What steps are involved in assessing risk?

In this identity management and access control Ask the Expert Q&A, SearchSecurity's resident expert reviews the processes involved when conducting a risk assessment.

What steps are involved in assessing risk?

Risk assessment is a complex topic beyond the scope of these few paragraphs, but it is at the heart of information security.

In order to secure a system, you must determine the level of risk to it. The higher the level of risk, the more protection it needs. You don't want to spend your information security budget on protecting a low-risk system, you want to spend it on high-risk systems, those that might house sensitive customer data, or handle financial transactions, for example. While this may sound like common sense, few organizations adequately assess IT risk and end up indiscriminately squandering their budgets and resources poorly protecting their most sensitive IT assets and over protecting those of low value.

Roughly, risk assessment consists of reviewing three pieces of your IT infrastructure: threats, vulnerabilities and risk. For example, the threat could be a hacker gaining access to a database housing your customer information. The vulnerability is that the database is outdated and doesn't have the latest security patches installed. Therefore, the risk might be high because the system is unpatched, sits on an unprotected network without a firewall and is connected directly to the Internet.

This scenario is highly improbable in a company that has an experienced information security staff, but it still proves a point. Since we know the risk is high and very likely to occur, we know we need mitigating controls. We've assessed the risk and know where and how to secure our vulnerable IT asset. In this case, the risk assessment tells us to first patch the server, block the firewall ports accessing the server and sever its connection to the Internet.

Keep in mind, it's not just about IT risks and securing servers and Web sites. Compromised IT systems can result in loss of data, outages and malicious use, all of which can damage a business's reputation or worse.

For more information on risk assessments, visit the National Institute of Standards and Technology Web site at http://csrc.nist.gov. Their Computer Security Resource Center contains risk assessment methodologies widely used and recommended by information security professionals.

MORE INFORMATION:

  • Learn how to conduct a risk analysis.
  • Review risk management process.
  • This was first published in July 2006

    Dig deeper on Enterprise Risk Management: Metrics and Assessments

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close