Introduction
Risk assessment is an intensive process that involves defining the nature of the risks, their location, and ways of mitigating the risks recognized to allow smooth operation of the organization. The risk assessor must identify every system, process, and individual included. In addition, he/she should identify the relevant vulnerabilities and threats (Pompon, 2016). Risk assessment considers every aspect of information security that entails the environmental and physical, management and administrative, in addition to the technical measure.
Risk Assessment methodologies
Asset Audit
The approach considers the assets that are part of an organization and establishes if every asset is being safeguarded sufficiently. This technique is an easy-to-use and candid process of assessing the risks through providing owners and reviewers the direct approach of identifying every information asset and its exposure to risk. The individuals who are part of the process of asset audit acquire an optimal recognition of the way that the information is flowing in and out of the system, and the one stored within the system (Goncalves, 2013). The insight and knowledge obtained by the reviewer regarding information flow and the system allows him/her to have an optimal picture of the nature of risks and their location.
Attack Trees
The Attack trees approach provides the methodical system of defining the systems’ security founded on how, who, why, when, and with what possibility attacks will occur (Goncalves, 2013). The root node or the top of the attack tree signifies the eventual objective of attackers and the leaf nodes and the branches signify the diverse techniques of accomplishing the objective.
Key approaches to identifying threats relevant to a particular organization
Software-Centric Approach
The software-centric approach comprises of the system’s design and could be demonstrated through the use of a software architecture diagram like the use case diagrams, data-flow diagrams, or the component diagram. The approach is popularly utilized in the threat model network and system where it is applied as the de-facto standard for identifying threats (Pompon, 2016). A good example of a software-centric approach is Microsoft’s Secure Development Lifecycle (SDL) framework.
Asset-Centric approach
The asset-centric method entails the identification of the organization’s assets entrusted to the software or system. The asset is categorized based on the data sensitivity and the inherent value to the possible attackers in order to rank the risk levels. Through the use of this approach in identifying threats, the attack graphs, attack trees, or the display of the patterns where the asset could be attacked is created (Reavis, 2011). Furthermore, the approach assists in identifying the multi-step attack and path through which the attackers could reach the asset.
Attacker-Centric Approach
The attacker-centric technique of identifying threats necessitates profiling the attacker’s traits, expertise, and motivation of exploiting the susceptibilities. In addition, it utilizes the profiles to identify the type of attackers that have the highest probability of executing specific forms of exploits, and applies the mitigation strategies properly.
Types of assets that need protection
Identifying the assets that need protection is important for numerous reasons. It allows one to identify what is crucial and important for the organization. In addition, it allows one to take the suitable decisions concerning the security level that must be offered to safeguard the assets. The assets that need protection can be categorized as:
Information Assets
The information assets’ category encompasses all pieces of data on the organization. The information is already collected, categorized, structured and stored in numerous forms. The types of information are usually stored under databases, such as the data on customers, employees, and production. Similarly, it is stored as data files, which includes transactional information providing up-to-date data on every event.
Software Assets
They are categorized into two, application software, and system software. Application software executes the organization’s business rules. The creation of application software consumes a lot of time as the software’s integrity is crucial. Any flaws in this software can adversely affect the organization. Regarding the system software, the firm could invest in numerous packaged software programs, such as DBMS, OS, software packages, office productivity suite, development tools, and utilities, among others.
Physical assets
They comprise of the tangible and visible equipment of the organization and can include: the technology tools, such as servers, computers, and desktops or the communication equipment, such as the modems.
Explain the relationship between access and risk, and identify the tradeoffs of restricting access to the organization’s assets
The relationship between access and risk is that in the event that the assets are allowed easy access, there can be numerous risks experienced which could end up compromising the system. Hence, the assets and risks are expected to be prioritized by the organization. The greater the level of risk experienced in the organization, the higher the possibility of damages. As a result, there must be a greater level of control to reduce the access to information to just the authorized individuals within the organization (Pompon, 2016). The tradeoffs of limiting the access to the assets of an organization are observed if the authorized individuals that access information are absent at the time the data is required. It often impedes a purchase or any other organizational transaction. As such, there must be different people for every job. In addition, if the management identifies the regularity of access to information, they could lessen the restrictions to avoid the tradeoffs.
Conclusion
All businesses face risks at one point in their operations. For this reason, risk assessment is an extremely essential part of the overall technique and strategy of the organization towards the management of security. It must be integrated in the internal procedures of the organization for quality assurance to guarantee that sufficient security is designed and applied cost-efficiently in places that matter.
References
Goncalves, M., & Heda, R. (2013). Risk Analysis Tools and Methodologies. Risk Management for Project Managers. doi:10.1115/1.860236_ch5
Pompon, R. (2016). Risk Analysis: Assets and Impacts. IT Security Risk Control Management, 23-37. doi:10.1007/978-1-4842-2140-2_3
Reavis, D. (2011). Identifying Threats to the System. The Technology Behind E-Commerce, 5167-6055. doi:10.4018/978-1-4666-9516-0.les8
