More and more nowadays, businesses of all sizes are opting to implement an information security management system (ISMS). This is the set of policies to manage the security of an organisation's information assets. Central to any such system is a risk assessment. This is a formal evaluation of all the risks applying to the organisation's information assets, together with a ranking of those risks according to the probability and estimated impact on the business. An example of a risk assessment procedure for information security is as follows:
- Create a list of all the information assets and assess their value to the organisation
- Brainstorm all the possible threats that could apply to the assets: e.g. contact details could be destroyed by a catastrophic disk failure on the PC where it is stored.
- For each asset, outline its vulnerability to each threat (e.g. the information stored in on a PC is more vulnerable to a disk failure than stored on a server.
- Evaluate the impact on the business: e.g. loss of client contact details could lead to termination of a contract or the business. The impact can be estimated quantitatively (in terms of e.g. money lost) or qualitatively (in terms of e.g. broad categories such as "negligible", "moderate", "catastrophic").
- Assign a probability to this risk (fairly high, in this case).
Map these findings into a risk matrix, showing the probability graphed against the impact, for each risk. The set of all risk matrices is the "risk register", which is the outcome of the risk assessment process.
The outcome of the risk assessment will then drive the subsequent process of risk treatment, whereby each risk identified is either treated (in order to reduce it) or ignored but noted (if it is small enough to be acceptable). Most risks will be treated in some way, using so-called "countermeasures" to do one or more of the following:
- Decrease the probability of the threat materialising in the first place.
- Decrease the potential impact on the business in case the threat does materialise,
- Minimise the time and resources needed to recover from the situation
The countermeasures (or "controls") are measures or equipment installed to pre-emptively reduce the risk. For example, a business might implement a regular backup of all data, and would specify a new operating procedure to cover this, together with the necessary technology to carry out the backup.
This was a very simple example of what might be involved in a risk assessment for information security. However, it is not only data or equipment that might be compromised: people as well can be seen as relevant assets. For example, if your systems administrator is lured away to a rival company, you might find the business no longer has anyone who knows how to configure the computer system. This type of risk also needs to be managed.
Source: http://www.articlesbase.com/security-articles/risk-assessment-in-an-information-security-management-system-3061301.html
This was a very simple example of what might be involved in a risk assessment for information security. However, it is not only data or equipment that might be compromised: people as well can be seen as relevant assets. For example, if your systems administrator is lured away to a rival company, you might find the business no longer has anyone who knows how to configure the computer system. This type of risk also needs to be managed.
Source: http://www.articlesbase.com/security-articles/risk-assessment-in-an-information-security-management-system-3061301.html
