With threats to sensitive data growing in both number and sophistication every day, organizations cannot afford a scattershot approach to security. Instead, they need to focus their limited IT budgets and resources on the specific vulnerabilities in their unique security posture.
To do this, they need to identify, analyze and prioritize the risks to the confidentiality, integrity or availability of their data or information systems, based on both the likelihood of the event and the level of impact it would have on the business. This process is called IT risk assessment.
To begin your risk assessment, take the steps listed in the following checklist. This simple checklist is just one of several tools available to conduct information security risk assessments in your organization. Once the step is complete, simply check it off.
1. Collect the information you need to assess risks. Here are a few ways to do it:
2. Find all valuable assets across the organization that could be damaged by the threats. Here are just a few examples:
3. Identify potential consequences. Determine what harm the organization would suffer if a given asset were damaged. This is a business concept, the likelihood of financial or other business losses. Here are a few consequences you should care about:
4. Identify threats and their level. A threat is anything that might exploit a vulnerability to breach your security and cause harm to your assets. Here are a few common types of threats:
5. Identify vulnerabilities and assess the likelihood of their exploitation. A vulnerability is a weakness that allows some threat to breach your security and cause hard to an asset. Vulnerabilities can be physical, such as old equipment, or a problem with software design or configuration, such as excessive access permissions or unpatched workstations.
6. Assess risk. Risk is the potential that a given threat will exploit the vulnerabilities of the environment and cause harm to one or more assets, leading to monetary loss.
7. Create a risk management plan predict risks, estimate impacts, and define responses to each risk.
8. Create a strategy for IT infrastructure enhancements to mitigate the most important vulnerabilities and get management sign-off.
9. Define mitigation processes. You can improve your IT security infrastructure but you cannot eliminate all risks. When a disaster happens, you fix what happened, you investigate why it happened, and then you try to prevent it from happening again or at least make the consequences less harmful.