compliances , policies , security

Sample – Defining Your Security Risk Exposure

August 1, 2013

Regardless of how strong the security of network infrastructure or software implementations are, risks are present wherever there is administrative access to computer systems and data.

A risk analysis outlines all the threats to the viability of the business. It examines the likelihood of each threat occurring and the impact of that occurrence. This allows us to make informed decisions when assigning resources to manage our risk.

We manage risk by controlling the vulnerabilities that expose us to it (if the threat is highly likely to eventuate), or planning how to recover from it (if the threat is unlikely, but must be guarded against). At its simplest, we might define nine broad levels of risk, each with an associated response, as follows:

Probability of threat occurring

Impact to business

if threat occurs

Response to level of threat

Low Low AD Hoc Management of Occurrences
Low Medium Draft Response Plan
Low High Contingency Plan in Place
Medium Low Draft Response Plan
Medium Medium General Preventative Measures & Contingency Plan in Place
Medium High Specific Preventative Measures & Contingency Plan in Place
High Low Specific Preventative Measures
High Medium Specific & Fall-Back Preventative Measures & Contingency Plan in Place
High High Measures to Prevent Any Occurrences & Contingency Plan in Place

Risk / Response Table

Obviously, response will vary according to company and resources. Some companies may aim to prevent the occurrence of any threat, regardless of its impact; others may choose to accept even high-impact threats. Similarly, different areas of the same company may define higher impacts or risks for the same threat. Finally, you may want to extend the granularity of the risk model, to define additional levels of both risk and impact, to allow a finer tuning of the assessment and responses.

The risk analysis requires consideration of the following:

  • Business Systems
  • Operating Environment
  • Vulnerabilities
  • Impact Assessment

www.bestitdocuments.com