Page 50 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 50
Information Security and Privacy
Notes organization. The report should include findings a list of assets, threats, and vulnerabilities;
a risk determination, recommended safeguards, and a cost benefit analysis.
Notes This focused assessment should occur at least twice a year by a team of staff members
representing all the major functions of the organization. The assessment should be carefully
planned, documented and methodically carried out.
Task How to identify existing controls?
4.3.1 Basic Principles of Risk Assessment
IT security failures may cause loss of information confidentiality, integrity, or availability.
Information assets or electronic resources management units should assess to determine what
information resources exist that require protection. They should conduct formal risk assessments
to understand and document potential risks. Full support of senior management is required for
successful risk assessments.
The basic principles of risk assessment are given below:
1. The assessment should have clear objective(s) reflecting the informational needs of decision
makers and determined in an iterative dialogue between the assessor(s) and the decision
maker(s).
Risk assessment is always linked to decision-making. In particular, it can help prioritize
actions, provide objective and defensible means to distinguish between alternative courses
of action, and enable a choice to be made. Ultimately, the risk assessment process can help
in deciding whether risk can be tolerated or whether further controls are justified. It is
important to establish clearly why a particular risk assessment is initiated: what decision
depends on the outcome?
The risk assessor and decision maker (also referred to as risk manager) may be the same
person or be in the same organization, but other situations are also common.
Some applications of risk assessment are proactive in nature, i.e. they are aimed at future or
potential risks; in other cases, a reactive assessment is aimed at concrete products that have
been involved in incident, found to fail a standard, or otherwise suspected of being unsafe.
2. The scope and content should be based on the objectives of the assessment and best
professional judgment, considering the benefits and costs of acquiring additional
information before undertaking the assessment.
The scope of the assessment includes at least:
(a) The product (type) that is the subject of the assessment;
(b) The hazard(s) of concern;
(c) The affected entities (population(s), subpopulation(s), individuals, or other) that are
the subject of the assessment;
(d) The exposure/event scenarios relevant to the objectives of the assessment;
44 LOVELY PROFESSIONAL UNIVERSITY
