Risk assessment, “Assess The harm that is likely to result from a significant breach of information security and its potential consequences on significant breaches, and the realistic likelihood of a breach in light of prevailing threats vulnerabilities and controls”. ISO-17799 Standard
Information security risk is a threat and a vulnerability to an asset.
An asset can be people or machinery or information and they are given a value.
Those values are enhanced by either the threat or vulnerability. An Asset is something of value, it can be tangible or intangible, it can be a resource it can be a process (a way of doing something) it can be
a product or it can be a system it can be may other things.
A threat is a natural or man made circumstance, that is any potential cause of an
unwanted incident that causes harm or consequential loss to a system or
an organization. It is the cause of an incident, and vulnerability is a weakness
in a safeguard or a control. This is where Risk assessment comes into information security.
Vulnerability is the absence or a weakness of a safeguard
or a control of an asset or a group of assets that may be exploited by
a threat.
Scope
It has to be agreed before hand and if it is not the risk or redundancy and rework is high and the risk threat key risks are missed is also high
The first thing that has to happen in a risk assessment and this actually has to happen to any standard, is to define the scope. The definition of scope is a pre requisite to starting a risk activity/project. setting boundaries is a mandatory part of a process so after the scope,
the organisation identifies the assets and gives them a value. A value can be a value to whichever process they want to undertake,
the whole point of giving values is that one can scale them. Thus an organization
can prioritize them start from the top and work its way down.
So having given values on the impact of failure and the likely hood of the
Threat, assessing the likely hood of a threat which depends on what sort of business is the organisation in. it depends on the industry its in its all very subjective but threats are assessed by how likely the incident is to occur and from that an organization can determine over all risk in terms of priority, how likely is this to happen, then evaluate these controls and are these controls enough?
Residual riskAt the bottom there will always be residual risk. Therefore it is imperative that information security officers objectively assess which risks are left over present their findings and have management sign off on them.