Regardless of how strong the security of network infrastructure or software implementations are, risks are present wherever there is administrative access to computer systems and data.

A risk analysis outlines all the threats to the viability of the business. It examines the likelihood of each threat occurring and the impact of that occurrence. This allows us to make informed decisions when assigning resources to manage our risk.

We manage risk by controlling the vulnerabilities that expose us to it (if the threat is highly likely to eventuate), or planning how to recover from it (if the threat is unlikely, but must be guarded against). At its simplest, we might define nine broad levels of risk, each with an associated response, as follows:

Risk / Response Table

Obviously, response will vary according to company and resources. Some companies may aim to prevent the occurrence of any threat, regardless of its impact; others may choose to accept even high-impact threats. Similarly, different areas of the same company may define higher impacts or risks for the same threat. Finally, you may want to extend the granularity of the risk model, to define additional levels of both risk and impact, to allow a finer tuning of the assessment and responses.

The risk analysis requires consideration of the following:

• Business Systems
• Operating Environment
• Vulnerabilities
• Impact Assessment

www.bestitdocuments.com