Security Risk Assessment

Security risk assessment is a continuous process of discovering, correcting and preventing security problems. The risk assessment is an integral part of a risk management process designed to provide appropriate levels of security for information systems.

The objective of a risk assessment is to understand the current system and environment, and identify risks through analysis of the information/data collected. By default, all relevant information should be considered irrespective of storage format.

Different types of information that are often collected include:

  • Security requirements and objectives
  • System/network architecture and infrastructure, such as a network diagram showing how assets are configured and interconnected
  • Information available to the public or accessible from the organization’s website
  • Physical assets, such as data center, network, and communication components and peripherals (e.g., desktop, laptop, PDAs)
  • PC and Server Operating systems
  • Data repositories, such as database management systems and files
  • Network details, such as supported protocols and network services offered
  • Security systems in use, such as access control mechanisms, change control, antivirus, spam control and network monitoring
  • Security components deployed, such as firewalls and intrusion detection systems
  • Government laws and regulations pertaining to minimum security control requirements
  • Documented or informal policies, procedures and guidelines