IT Risk Assessment

1.   About IT Risk Assessment:

Risk in the context of security is the likelihood of threat source exploiting a vulnerability and corresponding business impact. IT Risk Assessment is the process of identifying and assessing risk, reducing it to an acceptable level, and ensuring it remains at that level.

The ultimate purpose of IT Risk Assessment is to mitigate risk to prevent security incidents and compliance failures. IT Risk Assessment is one of the best tool/method which helps to provide Holistic Security Solution to the organization.

2.   Benefits of IT Risk Assessment:

Regular IT Risk Assessment and analysis offer below mentioned benefits;

1.   Understanding  Risk Profile

IT Risk Assessment help  to understand the Risk from different level such as;

a. Physical Damage (Fire, Water, Vandalism, Power Loss, and Natural Disaster);

b. Human Interaction (Accidental or intentional action or inaction that can disrupt productivity);

c. Equipment Malfunction (Failure of System and Peripheral Devices);

d. Inside and Outside Attack (Hacking, Cracking and Attacking)Misuse of Data (Sharing Trade Secrets, Fraud, Espionage, and Theft) 

        e. Loss of Data (Intentional or unintentional loss of information to                                unauthorized parties)

        f. Application Error (Computation Error, input error, and software defects 

2.   Identifying and Remediating Vulnerabilities

IT Risk Assessment help  to identify existing vulnerability in the system which includes in (People / Process and Technology) and help  to remediate as soon as possible.

3.   Inventorying IT and Data Assets

IT Risk Assessment help  to Inventorying IT and Data Assets. With the help of this information organization can able to categorize IT Data and Assets as per their value and importance.

4.   Mitigating Costs

Regular IT Risk Assessment can help to eliminate unnecessary security spending. Eliminating risk accurately enable  to balance cost against benefits.

5.   Complying with Legal Requirements

IT Risk Assessment help  to comply with legal requirements.

 

3.   Resources Needed to Conduct IT Risk Assessment:

At least two members are needed to conduct the IT Risk Assessment. Among them one member should be Information Security Officer. Maximum 30 days (depends on the size) are needed to conduct the IT Risk Assessment up to Access Risk Phase. Responding to Risk and Monitor the Risk are lifetime process.  

During the assessment if organization's existing infrastructure / human resources is not sufficient to find out the vulnerability of the system at that time Assessment team needs third person / vendor as a penetration tester.

During the IT Risk Assessment process Risk Assessment team may need to take interview of multiple concern officers to get the required information.

 

4.   Process To Conduct IT Risk Assessment:

Top management’s approval is mandatory to conduct the IT Risk Assessment effectively. Once the approval is granted. IT Risk Assessment team will do the following things;

·      Frame Risk

Here, Risk Assessment Team frame the Risk. What type of IT and IT Assets are going to cover? What is the acceptable level of Risk? What Process will be followed? What are the responsibilities of team members? are discussed in this phase.

·      Access Risk

Here, Risk Assessment Team access the risk. Based on experience, tools, analysis Risk team access the risk.

·      Respond to Risk

Here, Risk Assessment Team respond to the risk which have found in earlier phase. Responding to the Risk is lifetime process so it’s keep on going. Multiple parties involvement are needed to Respond the Risk.

·      Monitor the Risk

Here, Risk Assessment Team monitor the effectiveness of the risk assessment and access the risk if any changes/update/upgrade are found.

5.   Suitable Framework for us to Conduct IT Risk Assessment:

There are so many framework to conduct IT Risk assessment such as;

·      NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments

·      Facilitated Risk Analysis Process (FRAP) Quantitative Method

·      The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

·      Failure Modes and Effect Analysis (FMEA)

6.   About NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments:

NIST-SP 800-30, Revision 1, Guide for Conducting Risk Assessment, is specific to information systems threats and how they relate to information security risk. It lays out the following steps.

1.    Prepare for the assessment;

2.    Conduct the assessment;

a.    Identify threat sources and events;

b.    Identify vulnerability and predisposing conditions;

c.     Determine likelihood of occurrence;

d.    Determine magnitude of impact;

e.    Determine Risk;

3.    Communicate Result;

4.    Maintain Assessment.

The NIST risk management methodology is mainly focused on computer systems and IT Security issues.

7.   Conclusion:

IT Risk Assessment help us to inventorying IT and Data Assets; Categorizing it based on its value and criticality; Find out vulnerability on the IT and Data Assets; Understand the existing security mechanism to protect the system from Vulnerability; Remediation to the Vulnerability; and Suggest best Security mechanism.

Comments

Post a Comment

Popular Posts Last 30 days

Site-to-Site IPSec VPN Cisco-Juniper

Image
Site-to-Site IPSec VPN Cisco-Juniper :   Scenario! Here in this LAB we have seven routers. R1, R2 and R3 routers represents Branch Router. R1 is working here as the HQ router and R2 and R3 as the Branch Router. R1 and R2 routers are from Juniper Networks and R3 router is from Cisco Inc. R4 router is working as an internet router. Other routers (R5 to R7) are working here as an end device. Task 1.       Configure Policy-based site-to-site VPN. 2.       Consider R4’s loopback address as internet route. 3.       R5 and R6 are configured as server so these servers should be reached from Branch Office too. 4.       Both Branch i.e. R2 and R3 should get internet from HQ i.e. R1 5.       In HQ router we have three zones named SERVER, INTERNET and INTRANET. SERVER Zones belongs to R5 and R6. INTERNET Zone belongs to R4 and INTRANET Zone belongs to the i...
Read more

के हो साइबर सेक्युरिटि ? हाम्रा बैंक कति सुरक्षित ?

बिद्युतिय अथवा प्रविधिको माध्यमबाट प्रविधिमै निर्भर रहने सिस्टम्स, नेटर्वकस, प्रोग्राम्समा मानबिय त्रुटी/अज्ञानता/अचेतना अथवा प्रविधि भित्रको छिद्रको सहयाताले अनधिकृत रुपमा गरिने आक्रमणलाई साइबर अट्याक भन्न सकिन्छ । यसरी सिस्टम्स, नेटवर्कस र प्रोग्राममा हुन सक्ने आक्रमणबाट जोगाउन अपनाईने प्रविधि तथा मानविय चेतनालाई साईबर सेक्युरिटि भनिन्छ । प्रविधिको प्रयोगबाट हुन सक्ने आक्रमणलाई प्रविधिकै प्रयोग गरेर रोक्नु मात्र साईबर सेक्युरिटि होइन दोहो¥याएर पढ्नुहोस् प्रविधिको प्रयोगबाट हुन सक्ने आक्रमणलाई प्रविधिकै प्रयोग गरेर रोक्नु मात्र साईबर सेक्युरिटि होइन । यसले बिभिन्न उपकरण तथा पक्षबाट संकलन गरिएको लग तथा अलर्टको विश्लेषण गरी आवश्यक कदम चाल्न सक्ने क्षमतालाई समेत जनाउदछ र साईबर सेक्युरिटि शब्दले प्रविधिको प्रयोग गर्ने व्यक्तिको सूचना प्रविधि प्रयोग सम्बन्धि चेतना, ज्ञान, बोध आदी समेतलाई समेटदछ । साईबर अट्याक मूलत अनधिकृत रुपमा कुनै सिस्टम्स, नेटर्वकस र प्रोग्राम भित्र छिर्न, त्यहाँ रहेको डाटा परिवर्तन गर्न तथा भएको डाटालाई हटाउन बिगार्न तथा कुनै संस्थाले प्रदान गर्ने सेवा, सुविधा, सुचना...
Read more

Lets Play with BGP

Image
1. Configure IP Address as shown in the diagram 2. Configure Loopback Address as shown in the diagram 3. Configure AS number as shown in the diagram 4. Configure eBGP between AS 5. Configure OSPF in AS 1 6. Configure AS 1 in such a way so R1, R10 and R11 should be in the AS 64512 and R9, R12 and R13 should be in the AS 64534 Other AS should see only AS1 not Private AS Number when they receives routes Inside Sub-AS i.e. 64512 and 64534 full-mesh iBGP should be configured with the most scalable manner Hint (R1 and R9 should be Route-Reflector for the AS 64512 and 64534) Configure eBGP between R11 and R12 7. AS 2 have 192.168.120.0/24 network on his AS and Currently this network is propagating in BGP from AS 2. For some reason a part of that network (192.168.120.248/29) belongs to AS1 configure the needed router to achieve the goal with keeping this informaiton on mind. 8. By default AS1 is the shortest path to go to AS3 from AS2. Because of Bandwidth L...
Read more