Page 49 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 49
Unit 4: Risk Analysis
6. The two main areas of focus for risk management, each with its own set of objectives are Notes
internal and ....................... .
4.3 Risk Analysis
Organizations should regularly undertake comprehensive, focused assessment of potential risks
to the organization. The way of risk assessment process may vary from one organization to
other but the outline of the assessment work flow is as below:
1. Establish the Risk Assessment Team: The risk assessment team will be responsible for the
collection, analysis, and reporting of the assessment results to management. It is important
that all aspects of the activity work flow be represented on the team, including human
resources, administrative processes, automated systems, and physical security.
2. Set the Scope of the Project: The assessment team should identify at the outset the objective
of the assessment project, department, or functional area to be assessed, the responsibilities
of the members of the team, the personnel to be interviewed, the standards to be used,
documentation to be reviewed and operations to be observed.
3. Identify Assets covered by the Assessment: Assets may include, but are not limited to,
personnel, hardware, software, data (including classification of sensitivity and criticality),
facilities and current controls that safeguard those assets. It is the key to identify all assets
associated with the assessment project determined in the scope.
4. Categorize Potential Losses: Identify the losses that could result from any type of damage
to an asset. Losses may result from physical damage, denial of service, modification,
unauthorized access or disclosure. Losses may be intangible, such as the loss of the
organizations’ credibility.
5. Identify Threats and Vulnerabilities: A threat is an event, process, activity, or action that
exploits a vulnerability to attack an asset. Include natural threats, accidental threats, human
accidental threats, and human malicious threats. These could include power failure,
biological contamination or hazardous chemical spills, acts of nature, or hardware/software
failure, data destruction or loss of integrity, sabotage, or theft or vandalism. Vulnerability
is a weakness which a threat will exploit to attack the assets. Vulnerabilities can be identified
by addressing the following in your data collection process: physical security, environment,
system security, communications security, personnel security, plans, policies, procedures,
management, support, etc.
6. Identify existing Controls: Controls are safeguards that reduce the probability that a
threat will exploit a vulnerability to successfully attack an asset. Identify those safeguards
that are currently implemented, and determine their effectiveness in the context of the
current analysis.
7. Analyze the Data: In this phase, all the collected information will be used to determine
the actual risks to the assets under consideration. A technique to analyze data includes
preparing a list of assets and showing corresponding threats, type of loss and vulnerability.
Analysis of this data should include an assessment of the possible frequency of the potential
loss.
8. Determine Cost-effective Safeguards: include in this assessment the implementation cost
of the safeguard, the annual cost to operate the safeguard, and the life cycle of the safeguard.
9. Report is to be Submitted: The type of report to make depends on the audience to whom
it is submitted. Typically, a simple report that is easy to read, and supported by detailed
analysis, is more easily understood by individuals who may not be familiar with your
LOVELY PROFESSIONAL UNIVERSITY 43
