Information on Asset Protection Infrastructure: Risk Assessment

Information on Asset Protection Infrastructure: Risk Assessment

Risk assessment is a process important in the practice of the discipline of risk management, it also refers to the product of the process. RAs are routinely produced in any number of environments, when the environment is an information environment, the assessment addresses all of the assets within the environment, including all system components, the data, personnel, facilities, procedures and documentation. Information system RAs are used as an important source of asset protection requirements, usually supplementing other sources. in protection policies and plans.

Classically, an RA can be based on quantitative or qualitative methods, The method employed can be the subject of intense and heated debate, both approaches have their advantages (enough said).

To briefly revisit the basics, risk is the potential for damage or loss. Risk arises when an active threat exploits an accessible vulnerability. The damage or loss is the consequence of threat activity. There are five, and only five classes of threats, humans inside and outside the security perimeter, human error, malicious code, and environmental threats (often referred to as Acts of God). Vulnerabilities are either algorithmic or probabilistic. Probabilistic vulnerabilities can either be proven or theoretical until they are proven. Unproven vulnerabilities may be initially defined using flaw hypothesis as an approach.

An RA typically has the following sections: a description of the subject with a list of protection measures in use, a threat assessment, a vulnerability assessment, a risk assessment combining the threats and vulnerabilities, a recommendations section addressing risk minimization, a section addressing residual risk remaining after the recommendations are implemented and an annual loss expectancy, and a conclusion. NIST provides a standard addressing assessments (see SP 800-30)

Risk minimization can be based on several strategies, isolation of assets and vulnerabilities from threats, deterrence of threats, identification and elimination of algorithmic vulnerabilities, minimization of assets at risk, and attack detection and interruption (a strategy with limited success. )

In the past, risk elimination was seen as a viable strategy, with the possible exception of the elimination of some algorithmic vulnerabilities, risk elimination is now viewed as a discredited idea. When you have to live with grave risks, minimizing those risks becomes a very attractive alternative. Information security provides the toolkit for risk minimization.

The recommendations of the assessment, when accepted are input into the system's information security policy and implementation is schedule using the security plan. Acceptance of residual risk usually finalizes the assessment, although clarifications can draw that out.

Assessments should be performed every two or three years and whenever there is a significant change in the environment. As the library of assessments accumulates, a clear picture of risk builds and risk tolerance becomes evident.

Article Source: http://EzineArticles.com/expert/Chris_A_Inskeep/923806

Article Source: http://EzineArticles.com/5957321

_(By Chris A Inskeep).