Risk Assessment

Risk management, or really risk mitigation, is a relatively new science, but one that has real value if handled properly.  The goal of managing risk is to ensure that the confidentiality, availability and integrity of your assets is intact regardless of the situation.  The fundamental first step in managing risk is to first thoroughly identify what all of the risks are, without turning a blind eye to anything through a risk analysis.  There are many aspects to performing a risk analysis for your assets, and one of the most widely used methods that can capture those aspects in a meaningful way is to perform a qualitative risk assessment. This method is scenario driven, and ranks the seriousness of risks and also the sensitivity of assets into easy to understand classes or grades.

Score	Damage	Trigger Time	Potential Impact
High	Critical	Minutes to Hours	Loss of life, failure of business, legal charges
Medium	Disruptive	Hours to Days	Bad PR, loss of customers,loss of prestige, loss of income
Low	Moderate	Days to Weeks	Requires workaround, reduction in output

It is important to assign a subjective assessment of risk to specific assets.  To do this, a group should participate in the process, and the person responsible for maintaining the asset should be involved. This can be conducted through meetings, brainstorming sessions or a thorough questionnaire that can help protect anonymity and therefore enable complete openness. 

Basic steps for performing an assessment should include;
1.  List all of the organization's critical assets in a spreadsheet.
2.  Specify threats and vulnerabilities for that asset.
3.  Develop a consistent exposure severity scale to cover all assets
4.  Organize the list based on the priority of most critical to the least.
5.  Prioritize funds to mitigate risks based upon the critical nature of the asses and threat.
6.  Ensure that the assets achieve a much lower exposure.

Often, it seems easier to handle events as they arise, since the frequency of negative events is very low and does not seem to justify the costs.  The value proposition here is to reduce the possibility of impact to the business. If is helpful to avoid situations by understanding;
         -What is at risk
         -The value that is at risk
         -The kind of threats that could occur and their annualized financial consequences
         -What can be done to reduce risks and the acceptable costs of doing so

Risk assessment also enables a strategic approach to risk management, and could produce critical decision support information when changes or upgrades to the existing infrastructure are being considered.  Only when the risks are fully understood can mitigation of risk take place.  It is possible to put in safeguards that can protect against more than one threat, but the best safeguards cannot be accurately chosen without careful analysis of the challenges and threats.

Related articles by Zemanta

• Model for evaluating value at risk for (slideshare.net)
• Risk Management Risk Management Outline: (slideshare.net)
• IT risk assessment frameworks: real-world experience (deurainfosec.com)