A risk assessment goes beyond running a vulnerability scan and creating a prepackaged report. A risk assessment is a holistic examination of your security infrastructure, technology, people, and processes to develop a list of organizational risks based on potential business impacts. Whoa! Let’s examine that last sentence.
We’re going to look at:
- What is the likelihood of this threat occuring to this asset
- What would be the impact to the organization if this asset was compromised from the standpoint of confidentiality, integrity or availability
- What safeguards are in place to reduce the impact or likelihood of the threat to this asset
- What are the weaknesses of the asset or of the safeguard
Why do it? The answer varies by organization.
- It may be required of your organization in order to comply with laws and regulations that affect you.
- For executive management, it creates one holistic view and facilitates “buy in” between executive management and other departments regarding controls to implement and which to avoid. It eliminates “ad hoc” decision making in the field of which controls to implement.
- For the operations and IT staff, it defines risk in a standardized and reproducible manner, allowing the organization to select controls without over controlling or under controlling the information assets being protected.
Most organizations learn a lot about themselves by going through a risk assessment. They learn a lot about their business, what assets are really important, and what risks they may need to eliminate, implement controls for, or in some cases, they may just accept the risk.
Sr. Account Executive