Risk AssessmentRisk assessment is the process of analyzing threats to an information system and known vulnerabilities to determine the likelihood and impact of some anticipated loss. This risk analysis can then be used to design protective security controls that reduce these factors to acceptable levels.
Pre-requisite to Risk Assessment is System Characterization
NOTE - Risk Assessment is part of a greater process called Risk Management. Risk Management begins with Risk Assessment and then moves into protecting the information system with Risk Mitigation (through security controls) and closes out with Evaluation and Assessment to confirm that the Risk Managment process is actually working.
Risk Management: Define which parts of the process you have control over and which parts of the process you don't have control over then maximize your exposure to the parts you can control and minimize your exposure to the parts of the process you can not control
Natural (storms), Human and Environmental (power failure)
Vulnerability lists and system testing
Patch Management is a critical part of security.
The goal of the controls is to reduce risk to a level that is acceptable
Risk assessment report
Agile Defense In the past, information systems security often focused simply on perimeter defense, wrongly assuming that a strong perimeter was the only defense needed. Then, as regulations became more complex and more legal, infosec became more “compliance-centric”, trying to pass the security audits required by law. Compliance oriented security produces reams of paperwork and [...]