Risk Assessment - What to AssessJun 28, 2022
Risk assessment is the process of identifying, estimating, and prioritizing information security risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such cases or events will occur.
In the NIST 800-30 Guide for Conduction Risk Assessments document, you’ll find much more detailed qualitative, quantitative, and semi-quantitative information, including risk models, assessment approaches, and much more. However, let me make it simple and actionable for you to start today if you want.
These 3 steps you can take to perform a risk assessment:
- Identify and document the scope and assets to be assessed. I suggest starting with your critical assets.
- Identify and collect your assessment data.
- Vulnerability scan (including applications)
- Minimum security baseline scan
- Access management at the OS and application levels
- Standard exceptions against your scoped systems
- Security information and event management (SIEM) logging and alerting
- Analyze and report
The most important part is the analysis, since quantitative data alone may not provide the correct information.
Author: Dr. Bill Souza | Jun 28, 2022