Assessing information security risk is critical to the overall business approach for decisions and actions within your organization. Risks can impact your shareholder value, customer confidence, and investment plans. For a risk to be present, at least one exploit is vulnerable to a threat on the asset. Three basic elements to risk assessments are assets, threats, and vulnerabilities.
Assets:
An asset is any device or component that is critical to your company's operations. This includes not only hardware and software, but also includes your company's critical data. Examine your assets first and identify those that must be evaluated for risk probabilities. This allows you to prioritize assets in terms of the potential for risks to occur and enables you to place resources against these critical services.
Threats:
A threat is any identified exploit or security issue that has potential to cause havoc within your system. This does not mean that your system will succumb to the threat. You need to identify threats to your systems and determine the significant ones that have a higher opportunity for occurrence.
Vulnerabilities:
Vulnerabilities are the actual associations with threats. Once you have identified threats, you can determine what systems, if any, could actually be exploited by a vulnerability that exists. This is where you then need to place your efforts - patch systems, apply further controls, and fix any vulnerabilities. You need to determine the impact to systems if vulnerabilities are exploited to ensure the allotment of resources is correct.
Performing an information security risk assessment really does only involve the identification of assets, determination of threats, and protection of vulnerabilities. Ensure your risk assessments are business-focused to obtain the support and resources needed to protect your environment. Keep your assessment simple, but remain up-to-date on changes occurring in the economy, threat landscape and business environment.
No comments:
Post a Comment