Risk Assessment

  • Risk Assessment (RA) is the process of identifying threat, and vulnerability, determine the probability of a threat exploiting a vulnerability and quantify or qualify the loss if exploitation occurs
  • Threat is any circumstance or event that has the potential to compromise confidentiality, integrity or availability.
    • Natural-Floods, Earthquakes, Tornadoes
    • Human Threats– Unintentional acts, malicious software upload
  • Environmental Threats-Long term power failure, Pollution, Chemicals, Liquid leakage

Common Threats To Information Systems

  • Vulnerability is a weakness. It can be a weakness in the hardware, software, the configuration, or users operating the system (Example: No badge reader at the entrance of Data Center, Laptops and desktops have an outdated antivirus software).
  • Probability: Likelihood a vulnerability will be exploited-High, Low or Moderate
  • Impact: High, Low or Moderate
  • Risk
    • Qualitative – High, Moderate, Low, Reputational, etc..
    • Quantitative- Assign dollar amount, Financial Loss

Factors To Consider In Risk Level Determination

Risk Levels

Risk Assessment

  • Risk: Asset value X Threat X Vulnerability X Probability X Impact =Risk (Quantitative/Qualitative)
  • Risk Assessment (RA) is conducted through:
    • Examination
      • Review existing documents (policies, procedures, previous assessment, etc.…)
      • Observation – Observe the implementation of controls
      • Walkthrough – Take tour of a building to take note of security control implementation
    • Interview
      • System owner, system administrators, developer etc.…
    • Testing
      • Test Existing Control (Test fail login attempt)
error: Content is protected !!