What Is the Process for Risk Assessment

It behooves us to talk about in detail the process for doing risk assessment, the ability to conduct a risk assessment, and to make it meaningful for your organization. In the beginning, we want to prepare for that assessment, we want to talk about the scope, and our assumptions about that assessment, and identify the areas of our organization that need attention and allow us to address risk in a reasonable manor. Once we begin doing that risk assessment, we want to identify our threat sources against the scope we’ve already talked about. This is actually one of the more difficult phases of the assessment because it can be difficult to identify sources without thinking of those threats individually. But that brainstorming session is useful and powerful. Identifying, say, hackers as a threat source, leads us to talking about external actors in general. Identifying a place in your company where insider threat could be a factor, leads us to talking about insider threat in general. If you want some help on that, look to NIST 800-30, and look at table 2-D where they talk about a large number of potential threat sources. Next, we want to take those threat sources and identify vulnerabilities around each one of those threat sources. What makes us vulnerable to an insider? What makes us vulnerable to an outsider? What makes us vulnerable to a hurricane? Once we’ve identified those places where we can have a failure, we’ve gone a long way to actually figure out the areas of our organization that need this assessment. Now, we’re going to take a moment to talk about common language about likelihood and occurrence. Is this likely to happen this year? This month? Next week? In ten years? Is this once in a career, or is it going to happen if we don’t do something about it tomorrow? Once we know that, we can address the impact. If this thing does happen, how bad is it really? Does this end my organization, or is it just a bad afternoon as we contact clients? Putting those two things together, likelihood and impact, allows us to determine risk. It allows us to divorce our gut from the equation. It allows us to speak in a common language about the risks our organization faces and prioritize them in everything from budget to attention. 

Related Videos