An Information
Security Risk Assessment will help you to determine the
Security Issues you have and allow you to rate them in order
of importance. The following is a simple methodology that
can be used to do this, followed by an example.
Asset
Identification
You
firstly need to determine the Assets that may be vulnerable
to an Information Security Attack. Examples of such Assets
include employee personal data, customer data, laptops,
databases and web sites.
Threat
Determination
You
then take each of your identified Assets and list all of
the possible Security Threats to these. Examples of Threats
include:
• Items being stolen.
• Unauthorised access to data.
• Unauthorised changes made to data.
• Inability to access critical data.
Impact
and Likelihood Determination
You
then give a rating to the Impact of a Threat occurring and
a rating to the Likelihood of it happening. The rating can
be between 1-10 where 1 is Low and 10 is High. For each
of the Threats you multiply the Impact and Likelihood ratings
to get an overall rating.
Priority
Determination
You can
then list the Threats in order of overall rating 100 to
1. The Threats with the highest scores are the ones require
priority action.
You can use this
list to help you determine which Threats to address first.
Your determination may also depend upon timescales and funding
available.
Countermeasure Determination
Once you
have prioritised the Threats you can then start to determine
appropriate actions to deal with them. You can choose to
accept the risk of the threat occurring, you can insure
against it, you can avoid it or you can determine a countermeasure
to the threat.
Result
of Countermeasure Demonstration
You
can then recalculate what the Impact and Likelihood rating
will be after the countermeasure has been put in place.
This will show you and maybe those who hold the purse strings
what result the countermeasure will have.
Risk
Assessment Example
This is
a simple example of a risk assessment for employee data
on a system that is currently accessible to all.
Asset
Determination: Employee Data.
Threat to Employee Data: Unauthorised Disclosure
of the Data.
Impact and Likelihood of Data being Disclosed: High
Likelihood rating of 8 (as the system is accessible to all)
and High Impact rating of 9 (possible legal implications).
Priority Determination: 8x9 = 72 This is likely to be high
on the list of priorities.
Countermeasure to Unauthorised Access to Employee
Data: Restrict access to the data to only those
who have a business need. This will be carried out using
logical and physical access controls to the computer and
the data.
Result of Countermeasure (Data Access Controls):
Impact stays the same at 9 as disclosure of employee data
is still significant occurrence. However the likelihood
is reduced to 3 as it becomes much harder to carry this
out. The rating is therefore significantly reduced from
72 to 27 [9x3].
