Therefore, you need to work with business users and management to create a list of all valuable assets. Remember, what you as a technician think is valuable might not be what is actually most valuable for the business. Now let’s walk through the risk assessment procedure.Īssets include servers, client contact information, sensitive partner documents, trade secrets and so on. If somebody steals data from one of your databases, even if that data is not particularly valuable, you can incur fines and other legal costs because you failed to comply with the data protection security requirements of HIPAA, PCI DSS or other compliance. If a system fails to perform its primary function, customers may be unable to place orders, employees may be unable to do their jobs or communicate, and so on. Theft of customer information could result in loss of trust and customer attrition. Theft of trade secrets could cause you to lose business to your competitors.
Here are some common ways you can suffer financial damage: If something is guaranteed to happen, it is not a risk. If any of the factors is zero, even if the other factors are high or critical, your risk is zero. There are two special cases to keep in mind: However, if you have good perimeter defenses and your vulnerability is low, and even though the asset is still critical, your risk will be medium. If your network is very vulnerable (perhaps because you have no firewall and no antivirus solution), and the asset is critical, your risk is high. For example, suppose you want to assess the risk associated with the threat of hackers compromising a particular system. Thus, risk can be defined as follows:Īlthough risk is represented here as a mathematical formula, it is not about numbers it is a logical construct. Risk is a business concept - is the likelihood of financial loss for the organization high, medium, low or zero? Three factors play into risk determination: what the threat is, how vulnerable the system is, and the importance of the asset that could be damaged or made unavailable. These questions get to the heart of the problem - that it is all about risk. Are you reducing it in the most cost-effective way? Is it the highest priority security risk?ģ. However, before you spend a dollar of your budget or an hour of your time implementing a solution to reduce risk, you should be able to answer the following questions:Ģ. Once you know what you need to protect, you can begin developing strategies. What threats could affect the ability of those business functions to operate?
What are the top five business processes that utilize or require this information?ģ. What are your organization’s critical information technology assets - that is, the data whose exposure would have a major impact on your business operations?Ģ. To get started with IT security risk assessment, you need to answer three important questions:ġ.
Whether you like it or not, if you work in security, you are in the risk management business. Cybersecurity is all about understanding, managing, controlling and mitigating risk to your organization’s critical assets.
0 kommentar(er)
