Week 20: Beginning the dreaded risk assessment

Once a year

Risk assessment is the process of analyzing threats to and vulnerabilities of an information system, and the potential impact that the loss of information or capabilities of a system would have on national security or your company's bottom line. Risk assessment is used to identify appropriate and cost-effective countermeasures. Some benefits of risk assessments are:

--Increasing awareness: Discussing security can raise the general level of interest and concern.

--Identifying assets: Systematic analysis produces a comprehensive list of assets and vulnerabilities.

--Improving basis for decisions: Costly systems aren't necessary to protect some data; other data or systems, however, may be so vital they should be protected at almost any cost. Knowledge gained from risk analysis enables you to make cost-effective decisions.

--Justifying expenditures: Risk assessment enables you to identify areas that may need security improvements, helping to justify security expenditures.

--Contributing information: You may need this information for other reports derived from requirements in GLBA, Sarbanes-Oxley, FISMA, your audit team, your annual report, etc.

The risk assessment isn't hard -- it's just very detailed and time-intensive. Some panic because they're afraid they're going to leave out something important. Here is where the

    Requires Free Membership to View

Information Security Protection Matrix can be used. Risk management, like your policy, addresses security for each block in this Matrix.

These 10 steps are the risk assessment process in a nutshell -- like any large problem, it needs to be broken down into smaller, more easily digested components:

1. Establish boundaries/scope
2. Build team
3. Identify the methodology (quantitative, qualitative, both)
4. Identify assets and assign value
5. Identify threats
6. Determine vulnerabilities
7. Identify current countermeasures
8. Estimate likelihood of exploitation
9. Estimate expected loss
10. Publish report

Some argue that establishing boundaries and scope may be the most important step, so you know what you are assessing and when to stop; otherwise, you may be doing someone else's job. Next week we will examine in more detail the first two steps in the risk assessment process.

More information
See if your organization has already done a risk assessment and when. Locate all of the documentation you can about your organization's key information. I'll discuss how to use it next week.

About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:securityplanner@infosecuritymag.com.

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.

Last week:Configuration Management (CM)
Next week: Risk assessment steps 1 and 2 -- Establishing boundaries/team building

This was first published in April 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.