Week 20: Beginning the dreaded risk assessment

When
Once a year

Why
Risk assessment is the process of analyzing threats to and vulnerabilities of an information system, and the potential impact that the loss of information or capabilities of a system would have on national security or your company's bottom line. Risk assessment is used to identify appropriate and cost-effective countermeasures. Some benefits of risk assessments are:

--Increasing awareness: Discussing security can raise the general level of interest and concern.

--Identifying assets: Systematic analysis produces a comprehensive list of assets and vulnerabilities.

--Improving basis for decisions: Costly systems aren't necessary to protect some data; other data or systems, however, may be so vital they should be protected at almost any cost. Knowledge gained from risk analysis enables you to make cost-effective decisions.

--Justifying expenditures: Risk assessment enables you to identify areas that may need security improvements, helping to justify security expenditures.

--Contributing information: You may need this information for other reports derived from requirements in GLBA, Sarbanes-Oxley, FISMA, your audit team, your annual report, etc.

Strategy
The risk assessment isn't hard -- it's just very detailed and time-intensive. Some panic because they're afraid they're going to leave out something important. Here is where the Information Security Protection Matrix can be used. Risk management, like your policy, addresses security for each block in this Matrix.

These 10 steps are the risk assessment process in a nutshell -- like any large problem, it needs to be broken down into smaller, more easily digested components:

1. Establish boundaries/scope
2. Build team
3. Identify the methodology (quantitative, qualitative, both)
4. Identify assets and assign value
5. Identify threats
6. Determine vulnerabilities
7. Identify current countermeasures
8. Estimate likelihood of exploitation
9. Estimate expected loss
10. Publish report

Some argue that establishing boundaries and scope may be the most important step, so you know what you are assessing and when to stop; otherwise, you may be doing someone else's job. Next week we will examine in more detail the first two steps in the risk assessment process.

More information
See if your organization has already done a risk assessment and when. Locate all of the documentation you can about your organization's key information. I'll discuss how to use it next week.

About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:securityplanner@infosecuritymag.com.

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.

Last week:Configuration Management (CM)
Next week: Risk assessment steps 1 and 2 -- Establishing boundaries/team building

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Weekly Security Planner Weekly Security Planner: April Weekly Security Planner: March Weekly Security Planner: January Weekly Security Planner: February Weekly Security Planner: December Weekly Security Planner: November Weekly Security Planner: September Weekly Security Planner: August Weekly Security Planner: October Weekly Security Planner: July Risk Assessment and Analysis Data risks take shine off Google Chrome Bruce Schenier, Marcus Ranum debate risk management PCI is about eliminating data, not securing it, former QSA says. What role does information security play in enterprise fraud-prevention activities? Security visualization helps make log files work Are independent researchers out for fame? Unified communications trigger data leakage dangers, survey finds CIO role could shift toward data quality, says IBM group Security data lapses hamper researchers Panel: IT governance, risk and compliance program helps reduce expenses FISMA FISMA essentials for information security practitioners Poor government security makes industry wary Industry Notebook: FISMA compliance made easier with SecureInfo's RMS RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary risk analysis  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.