Risk Assessment is an important activity in protecting the critical assets without which your business suffers or cease to exist. It helps you identify the most important assets and associated risks, and lets you focus on those risks which really matters to your business.
Every organization handles critical information and information processing facilities to perform its day to day activities. Security (preserving the confidentiality, integrity and availability) of these critical assets are very essential for its smooth functioning. Risk assessment helps you identify risks to these critical assets and hence to formulate the overall protection strategy.
Before going into details of risk assessment, let us go through few terms and definitions.
Asset: Anything that has value to the organization. It can be categorized as information assets, software assets, hardware assets, people, company image and reputation, and services.
Information Security: Preservation of confidentiality, integrity and availability of information.
Control: The means of managing risk - safeguard or counter measures.
Threat: Potential cause of unwanted incident. For example, a spammer or a cracker is a threat.
Vulnerability: Weakness of an asset that can be exploited by one or more threats. If your server aren’t appropriately patched, then it’s a vulnerability.
Risk: A combination of the probability of an event and its consequence.
The first step in risk assessment is to define the scope - Whether the assessment is conducted for the entire organization or if it’s limited to a department, or even a subsection. Then, a risk assessment team is created to conduct risk assessment. The composition of the team is such that it should have representatives from all the functional areas within the scope.
The risk assessment team then lists out all information assets. Threats to these assets are identified next, along with the vulnerabilities that could be exploited.
The next step is to analyze and evaluate the risks. Impact to the organization that might result from security failures of the assets are assessed. Level of risk is estimated taking into account the business impact and the realistic likelihood of occurrence of such security failures.
After estimating risks to all the important assets, it’s time to determine whether the risks are acceptable or require risk treatment to mitigate the risks. This decision is based on the risk acceptance criteria established by the organization. Possible risk treatment options include applying security controls, transferring risk to other parties such as insurers, or knowingly and objectively accepting risks.
Success of the Risk Assessment depends on selecting and customizing the methodology that suits your business, competencies of the risk assessment team, and commitment and support from the top management.
After completing the risk assessment, the assessment report is submitted to the top management, which contains all the critical assets, possible risks to those assets and the mitigation strategies. Based on the risk assessment report, the management can prioritize and initiate the implementation of appropriate security controls.
Above mentioned steps are an overview of how to conduct risk assessment.
There are proven methodologies available for conducting risk assessment. The OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) methodology is very effective and has been tailored for both small and large organizations. Extensive documentation and risk assessment templates and worksheets are available for download at:
NIST SP 800-30 (Risk Management Guide for Information Technology Systems) provides guidelines for conducting risk assessment. Apart from methodologies which are free for download, there are paid standards such as ISO/IEC TR 13335-3 which discusses risk assessment methodologies.
Success of the Risk Assessment depends on selecting and customizing the methodology that suits your business, competencies of the risk assessment team, and commitment and support from the top management. Risk assessment is the first step in the overall protection framework. It is the planning phase where you identify potential risks and formulate plans to mitigate them. Once the plans are formulated, next step is to implement those plans and then monitor the effectiveness. It is a continual process. Risk assessment needs to be conducted periodically to address emerging security threats and to assess the effectiveness of existing security controls.
Further reading and reference:
NIST SP 800-30: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
About The Author
Vishnu Ram is an MTech. in Communication Systems from IIT Madras. He joined Bobcares in 2003, and has been working for Poornam since then. He is currently the Information Security Manager of the company. His areas of interest are Performance tuning, Server monitoring, and Security. During his past time, Vishnu practices Karate, or read books or listen to music.