Once a year
Risk assessment is the process of analyzing threats to and vulnerabilities of an information system, and the potential impact that the loss of information or capabilities of a system would have on national security or your company's bottom line. Risk assessment is used to identify appropriate and cost-effective countermeasures. Some benefits of risk assessments are:
--Increasing awareness: Discussing security can raise the general level of interest and concern.
--Identifying assets: Systematic analysis produces a comprehensive list of assets and vulnerabilities.
--Improving basis for decisions: Costly systems aren't necessary to protect some data; other data or systems, however, may be so vital they should be protected at almost any cost. Knowledge gained from risk analysis enables you to make cost-effective decisions.
--Justifying expenditures: Risk assessment enables you to identify areas that may need security improvements, helping to justify security expenditures.
--Contributing information: You may need this information for other reports derived from requirements in GLBA, Sarbanes-Oxley, FISMA, your audit team, your annual report, etc.
The risk assessment isn't hard -- it's just very detailed and time-intensive. Some panic because they're afraid they're going to leave out something important. Here is where the Information Security Protection Matrix can be used. Risk management, like your policy, addresses security for each block in this Matrix.
These 10 steps are the risk assessment process in a nutshell -- like any large problem, it needs to be broken down into smaller, more easily digested components:
1. Establish boundaries/scope
2. Build team
3. Identify the methodology (quantitative, qualitative, both)
4. Identify assets and assign value
5. Identify threats
6. Determine vulnerabilities
7. Identify current countermeasures
8. Estimate likelihood of exploitation
9. Estimate expected loss
10. Publish report
Some argue that establishing boundaries and scope may be the most important step, so you know what you are assessing and when to stop; otherwise, you may be doing someone else's job. Next week we will examine in more detail the first two steps in the risk assessment process.
See if your organization has already done a risk assessment and when. Locate all of the documentation you can about your organization's key information. I'll discuss how to use it next week.
About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:firstname.lastname@example.org.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.