Risk Assessment

Risk assessment is the process of analyzing threats to an information system and known vulnerabilities to determine the likelihood and impact of some anticipated loss. This risk analysis can then be used to design protective security controls that reduce these factors to acceptable levels.

Pre-requisite to Risk Assessment is System Characterization

NOTE - Risk Assessment is part of a greater process called Risk Management. Risk Management begins with Risk Assessment and then moves into protecting the information system with Risk Mitigation (through security controls) and closes out with Evaluation and Assessment to confirm that the Risk Managment process is actually working.

Risk Management: Define which parts of the process you have control over and which parts of the process you don't have control over then maximize your exposure to the parts you can control and minimize your exposure to the parts of the process you can not control

Threat Identification

Threat Identification

Natural (storms), Human and Environmental (power failure)

Vulnerability Identification

Vulnerability Identification

Vulnerability lists and system testing

Patch Management

Patch Management is a critical part of security.

Risk Analysis

Risk Analysis

Control Analysis
Likelihood Determination
Impact Analysis
Risk Determination

Control Recommendations

Control Recommendations

The goal of the controls is to reduce risk to a level that is acceptable

Documentation

Documentation

Risk assessment report

Agile Defense with NIST Controls

Agile Defense In the past, information systems security often focused simply on perimeter defense, wrongly assuming that a strong perimeter was the only defense needed. Then, as regulations became more complex and more legal, infosec became more “compliance-centric”, trying to pass the security audits required by law. Compliance oriented security produces reams of paperwork and […]