Information Security Risk Assessment Basics

The risk assessment process:

  1. Project Definition
  • Project scope
  • Budget
  • Objective
  • Assets
  • Controls
  • Boundaries
  1. Project Preperation
  • Team preperation
  • Select team
  • Introduce team
  • Project preperation
  • Obtain permission
  • Review business mission
  • Identify crital applications
  • Map assets
  • Identify threats
  • Determine expected controls
  1. Data Gathering
  • Administration
  • Policy reivew
  • Procedure review
  • Training review
  • Organization review
  • Interviews
  • Observation
  • Technical
  • Design review
  • Configuration review
  • Architectural review
  • Security testing
  • Physical
  • Policy review
  • Procedure review
  • Observation
  • Inspection
  1. Risk Analysis
  • Determine risk
  • Asset valuation
  • Threat and vulnerability mapping
  • Calculate risk
  • Create risk statements
  • Obtain team consensus
  1. Risk Mitigation
  • Safeguard selection
  • Safeguard cost
  • Safeguard effectiveness
  • Solution sets
  1. Recommendations
  • Risk recommendation
  • Risk acceptance
  • Risk mitigation
  • Risk assignment
  • Documentation
  • Executive summary
  • Report
  • Appendices
  • Presentation

Phase 1: Project Definition is discussed more in Chapter 3. Phase 2: Project Preparation is discussed more in Chapter 4. Phase 3: Data Gathering is discussed more in Chapter 5.

Phase 4: Risk Analysis

The risk analysis phase involves a review of the data gathered and an analysis of the resulting risk to the organization. Several elements of the risk analysis phase are considered key concepts within security risk assessments: assets, threats, vulnerabilities, and security risk.

Assets are the information and resources that have value to an organization. Assets are to risk assessments because the enumeration of assets helps to scope the risk assessment and the valuation of assets helps to determine the countermeasures deployed.

Threat agents cause threats to happen. Threats help scope the vulnerabilities of the system being assessed. Threat agents could be nature, employees, malicious hackers, industrial spies, foreign government spies. Threats could be errors/omissions, fraud/theft, sabotage, loss of physical and infrastructure support, espionage, malicious code, disclosure.

A vulnerability is a flaw or oversight in an existing control that may allow a threat agent to exploit it. Vulnerabilities are important elements of a securit risk assesment because they are instrumental in determining existing and residual risk.

Security risk is the loss potential to an organization's assets that will likely occur if a threat is able to exploit a vulnerability. Security risk can be either quantitative or qualitative. Quantitative means the risk calculation relies on specific formulas. This means the calculation is objective and is terms of dollars, but the calculations are complex and accurate values are difficult to obtain. Qualitativee means the risk calculation relies on subjective measuring. This may be easy to understand, but may not be trusted by some in management.

Phase 5: Risk Mitigation

The risk mitigation phase depends on safeguard selection and residual risk.

A safeguard is a technique, activity, or technology employed to reduce the risk to the organization;s assets. A safeguard may prevent, detect, or minimize the potential loss to an organization's assets. Safeguards are classified as preventative (deter attacks from happening), detective (indicate that an attack has happened), or corrective (correct the damaage caused by an attack).

Residual security risk is the risk that remains after implementation of recommended safeguards. This risk is defined as static (the risk always exists) or dynamic (the risk may be reduced through the controls).

Phase 6: Risk Reporting and Resolution

The final report should provide clear information for executive, management, and technical personnel.

Risk resolution is the decision by senior management of how to resolve the risk resented to them.

  • Risk reduction - the reduction of risk to an acceptable level through the adoption of additional controls of the improvement of existing controls.
  • Risk acceptance - the deliberate decision by senior management to accept an identified risk based on business objectives
  • Risk transference - the contractual transfer of risk to another organization through outsourcing or insurance.
Last modified January 13, 2020