IT Risk Assessment? With a cyberattack being attempted every 40 seconds and ransomware attacks increasing at a rate of 400% year over year, it is no wonder every business organization has to take security seriously. IT security risk assessments focus on identifying the threats facing your information systems, networks and data, as well as assessing the potential consequences, you would face should these adverse events materialize. Risk assessments should be conducted on a regular basis (e.g. annually, biannually, etc.) and whenever major changes occur within your organization. Examples of major changes that could occur in an organization are: 1. An acquisition 2. A merger or demerger 3. Any form of structural re-organization 4. When a leader decides to implement new technology to handle a key business process 5. When employees suddenly move from working in an office to working remotely Not only are IT risk assessments important for protecting your organization and right-sizing your security investment, but they may also be mandatory. Some information security frameworks, such as ISO 27001 and CMMC, actually require risk assessments to be conducted in specific ways and documented on paper in order for your organization to be considered “compliant”. IT risk assessments are a crucial part of any successful security program. Risk assessments allow you to see how your organization’s risks and vulnerabilities are changing over time, so decision-makers can put appropriate measures and safeguards in place to respond to risks appropriately. Two categories of risk assessments can be performed, although the most effective approach is to incorporate aspects of both of them: 1. Quantitative risk assessments: Are assessments that focus on numbers and percentages and they can help the organization determine the financial impact/s of each identified risk category. 2. Qualitative risk assessments: These help assess the human and productivity aspects of a risk type or category. Both of these categories have value, and both of them will allow your organization to communicate risk with different types of people. For example, your legal and financial teams will likely be most interested in the numbers, while your operations teams, such as sales and customer service, will be more concerned about how a security event would affect their operations and efficiency. QUESTION 1 The Detailed Security Risk Analysis approach is believed to provide the most accurate evaluation, (Stallings & Brown 2018: 490) of an organization’s information security risks, even though it comes at the highest cost. As your organisation’s Information Security Officer, you have been mandated to undertake a Detailed Information Security Risk Analysis of your organisation’s institutional IT infrastructure. You are required to only consider the first step of this process [Context And System Characterization] at this stage. Considering that every organisation’s risk situation is different, critically analyse the considerations you will make for your specific organisation in order to produce a document that will be used as a first step to this Risk Analysis process. [It is important for students to seriously note that this question requires not a general textbook answer but an answer which shows the application of analytical skills as you examine your own unique organisation in order to come up with a Risk Analysis roadmap for your organisation to follow depending on the IT asset portfolio the organisation currently possesses and manages] QUESTION 1.1 As an Information Security Officer in your organisation, propose in great detail and depth, with particular emphasis to your own organisation, the methodologies you will likely employ in order to identify the threats/risks/vulnerabilities which your organisation’s IT asset portfolio are currently exposed to. [This question too, does not require a textbook answer but one that is derived from a complete understanding of your organisation’s requirement and their uniqueness. Specific solutions to organisations problems are being sought here. General solutions will not attract much reward]
IT Risk Assessment?
With a cyberattack being attempted every 40 seconds and ransomware attacks increasing at a rate of 400% year over year, it is no wonder every business organization has to take security seriously.
IT security risk assessments focus on identifying the threats facing your information systems, networks and data, as well as assessing the potential consequences, you would face should these adverse events materialize. Risk assessments should be conducted on a regular basis (e.g. annually, biannually, etc.) and whenever major changes occur within your organization. Examples of major changes that could occur in an organization are:
1. An acquisition
2. A merger or demerger
3. Any form of structural re-organization
4. When a leader decides to implement new technology to handle a key business process
5. When employees suddenly move from working in an office to working remotely
Not only are IT risk assessments important for protecting your organization and right-sizing your security investment, but they may also be mandatory. Some information security frameworks, such as ISO 27001 and CMMC, actually require risk assessments to be conducted in specific ways and documented on paper in order for your organization to be considered “compliant”.
IT risk assessments are a crucial part of any successful security program. Risk assessments allow you to see how your organization’s risks and vulnerabilities are changing over time, so decision-makers can put appropriate measures and safeguards in place to respond to risks appropriately.
Two categories of risk assessments can be performed, although the most effective approach is to incorporate aspects of both of them:
1. Quantitative risk assessments: Are assessments that focus on numbers and percentages and they can help the
organization determine the financial impact/s of each identified risk category.
2. Qualitative risk assessments: These help assess the human and productivity aspects of a risk type or category.
Both of these categories have value, and both of them will allow your organization to communicate risk with different types of people. For example, your legal and financial teams will likely be most interested in the numbers, while your operations teams, such as sales and customer service, will be more concerned about how a security event would affect their operations and efficiency.
QUESTION 1
The Detailed Security Risk Analysis approach is believed to provide the most accurate evaluation, (Stallings & Brown 2018: 490) of an organization’s information security risks, even though it comes at the highest cost. As your organisation’s Information Security Officer, you have been mandated to undertake a Detailed Information Security Risk Analysis of your organisation’s institutional IT infrastructure. You are required to only consider the first step of this process [Context And System Characterization] at this stage. Considering that every organisation’s risk situation is different, critically analyse the considerations you will make for your specific organisation in order to produce a document that will be used as a first step to this Risk Analysis process.
[It is important for students to seriously note that this question requires not a general textbook answer but an answer which shows the application of analytical skills as you examine your own unique organisation in order to come up with a Risk Analysis roadmap for your organisation to follow depending on the IT asset portfolio the organisation currently possesses and manages]
QUESTION 1.1
As an Information Security Officer in your organisation, propose in great detail and depth, with particular emphasis to your own organisation, the methodologies you will likely employ in order to identify the threats/risks/vulnerabilities which your organisation’s IT asset portfolio are currently exposed to.
[This question too, does not require a textbook answer but one that is derived from a complete understanding of your organisation’s requirement and their uniqueness. Specific solutions to organisations problems are being sought here. General solutions will not attract much reward]
Step by step
Solved in 5 steps