Risk Assessment - What to Assess

risk risk management Jun 28, 2022

Risk assessment is the process of identifying, estimating, and prioritizing information security risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such cases or events will occur.

In the NIST 800-30 Guide for Conduction Risk Assessments document, you’ll find much more detailed qualitative, quantitative, and semi-quantitative information, including risk models, assessment approaches, and much more. However, let me make it simple and actionable for you to start today if you want.

These 3 steps you can take to perform a risk assessment:

  1. Identify and document the scope and assets to be assessed. I suggest starting with your critical assets.
  2. Identify and collect your assessment data.
    1. Vulnerability scan (including applications)
    2. Minimum security baseline scan
    3. Access management at the OS and application levels
    4. Standard exceptions against your scoped systems
    5. Security information and event management (SIEM) logging and alerting
  3. Analyze and report
    The most important part is the analysis, since quantitative data alone may not provide the correct information.


Training: https://www.execcybered.com/iso27001foundationcourse

Linkedin: https://www.linkedin.com/company/exceccybered/

Twitter: https://twitter.com/DrBillSouza

Instagram: https://www.instagram.com/drbillsouza/

Author: Dr. Bill Souza | Jun 28, 2022 


Want Helpful Cyber Risk Tips Every Week?


You're safe with me. I'll never spam you or sell your contact info.