Risk Assessment and a Risk Management Process - Essay Example

Risk Assessment Risk can be defined as a combination of the probability of occurrence of harm, and the severity of that harm. Risk assessment comes under a risk management process. The risk assessment measures are taken before hand so that whenever an issue arises the team is prepared to take steps. At time people don't know what to do and how to react in terms of emergencies, so if an assessment is done, things can be saved from greater loses. Risk management is helpful in answering questions such as whether failing to upgrade your file-and-print server will affect the ability of users to do their jobs properly; whether implementation of the latest intrusion-detection technology will reduce the likelihood of someone breaking into your e-mail server; and whether a firewall is necessary to protect your Web server, or if simple router ACLs (access control lists) will suffice. Furthermore, a risk-management process will help you prioritize these issues should you lack the resources necessary to address them all immediately. The question that arises is that when should the risk assessment be done. These are a few of the reasons. Prior to work with an agent At regular intervals At least annually Incase of a change Move or renovation New employee Different piece of equipment New technique or procedure 1. Establish the risk assessment team. The team is formed to collect, analyze and report the assessments to the management. It is important that all aspects of the activity work flow be represented on the team, including human resources, administrative processes, automated systems, and physical security. The reason is to plan things before hand so that it becomes easy to go by. The team members on the other hand will have to attend and participate in the meetings, they will have to take the responsibility of achieving goals and objectives. The team members will also have to work hard for effective teamwork and communications, share responsibility for all team decisions and share knowledge and expertise with the team. The team members would themselves have to provide leadership where appropriate and last but not the least, will have to participate in training sessions where required. 2. Set the scope of the project. The assessment team should identify at the outset the objective of the assessment project, department, or functional area to be assessed, the responsibilities of the members of the team, the personnel to be interviewed, the standards to be used, documentation to be reviewed, and operations to be observed. When the scope of a project is discussed, the output is in terms of time and cost. Scope is important because experience team members would know how changes in scope cause an issue. As the things proceed scopes do change, as the team members are not aware of the actual outcomes of things. 3. Identify assets covered by the assessment. Assets may include, but are not limited to, personnel, hardware, software, data (including classification of sensitivity and criticality), facilities, and current controls that safeguard those assets. It is key to identify all assets associated with the assessment project determined in the scope. 4. Categorize potential losses. Identify the losses that could result from any type of damage to an asset. Losses may result from physical damage, denial of service, modification, unauthorized access, or disclosure. Losses may be intangible, such as the loss of the organizations' credibility. It is only after knowing these losses can the team think of threats that may occur. More than one individual gathers the potential loss or anything concerning this. Everyone can give his or her own comments. The more different possibilities are taken out, the more prepared a team becomes incase of an event. 5. Identify threats and vulnerabilities. A threat is an event, process, activity, or action that exploits a vulnerability to attack an asset. Include natural threats, accidental threats, human accidental threats, and human malicious threats. These could include power failure, biological contamination or hazardous chemical spills, acts of nature, or hardware/software failure, data destruction or loss of integrity, sabotage, or theft or vandalism. A vulnerability is a weakness, which a threat will exploit to attack the assets. Vulnerabilities can be identified by addressing the following in your data collection process: physical security, environment, system security, communications security, personnel security, plans, policies, procedures, management, support, etc. It is a fact that one cannot avoid any kind of threat completely. But then again a preparation before hand helps a lot in finding solutions. Numerous types of vulnerabilities, both physical and electronic, are possible. Each should be examined and documented. It doesn't do much good to control all the risks associated with electronic access to your systems if someone could physically touch them and modify or walk away with data. Many tools exist for evaluating electronic vulnerabilities. The primary value of these tools lies in automation and detection; that is, typically they'll scan your systems for configurations and services, compare the results with a database of known exploits, and produce a report. This saves you the laborious task of examining systems manually and researching the latest exploits. It also provides a method of easily obtaining consistent data on your system vulnerabilities. Identify existing controls. Controls are safeguards that reduce the probability that a threat will exploit a vulnerability to successfully attack an asset. Identify those safeguards that are currently implemented, and determine their effectiveness in the context of the current analysis. These controls make us think why risk management is necessary. The reasons are increased certainty and fewer surprises; better service delivery; more effective management of change; more effective management of change; more efficient use of resources; better management at all levels through improved decision making; reduced waste and better value for money; management of contingent and maintenance activities. 6. Analyze the data. In this phase, all the collected information will be used to determine the actual risks to the assets under consideration. A technique to analyze data includes preparing a list of assets and showing corresponding threats, type of loss, and vulnerability. Analysis of this data should include an assessment of the possible frequency of the potential loss. 7. Determine cost-effective safeguards. Include in this assessment the implementation cost of the safeguard, the annual cost to operate the safeguard, and the life cycle of the safeguard. 8. Report. The type of report to make depends on the audience to whom it is submitted. Typically, a simple report that is easy to read, and supported by detailed analysis, is more easily understood by individuals who may not be familiar with your organization. The report should include findings; a list of assets, threats, and vulnerabilities; a risk determination, recommended safeguards, and a cost benefit analysis. One must communicate openly regarding risk management so relevant information about risk is shared. This is important because the mitigation strategy may cause risk in another area of the company. In addition, other risks are often understood by individuals that don't have the resources to deal with them. Communicating actions based on a risk assessment may open new areas for investigation that otherwise would have gone unnoticed. Types of Risk assessment One of the most common risk assessment methodologies employed is adhoc. Over here someone may belief that a risk exists, and the management should do something about it. It is common with small-scale businesses. An analysis of the numerous risk-assessment methodologies is beyond the scope of our discussion, but it's important to note that each methodology has been developed to meet specific needs, each has strengths and weaknesses, and each may or may not apply to a given situation. Conclusion Recollecting all the information gathered we can see that risk assessment plays a very important role. Examples can be taken from those organizations who did not had any risk assessment methodologies planned and at the time of an undesirable event the organization was helpless physically and financially both. All the top organizations are taking risk assessment seriously after disasters like Katrina. Doing the assessment would surely take time but the end results are worth it. References 1. Neville Turbit. Defining Project Scopes in IT Projects. Retrieved November 22nd, 2006, from http://www.projectperfect.com.au/info_define_the_scope.php 2. Conducting a Risk Assessment. Retrieved November 22nd, 2006, from http://www.ehss.vt.edu/Programs/LSD/Biosafety/BiosafetyForLaboratoryWorkers/16_RiskAssessment.htm Read More