Security Risk Assessment is the continuous process of discovering, correcting, and preventing potential security exposures. The risk assessment phase is an integral part of a risk management process designed to provide appropriate levels of security for information systems.
Through a risk assessment, one seeks to understand the current system and environment and identify risks through analysis of the information/data collected. By default, all relevant information should be considered regardless of storage format.
Different types of information that are often collected include:
- Security requirements and objectives
- System/network architecture and infrastructure, such as a network diagram showing how assets are configured and interconnected
- Information available to the public or accessible from the organization’s website
- Physical assets, such as data center, network, and communication components and peripherals (e.g., desktop, laptop, PDAs)
- PC and Server Operating systems
- Data repositories, such as database management systems and files
- Network details, such as supported protocols and network services offered
- Security systems in use, such as access control mechanisms, change control, antivirus, spam control, and network monitoring
- Security components deployed, such as firewalls and intrusion detection systems
- Government laws and regulations pertaining to minimum security control requirements
- Documented or informal policies, procedures, and guidelines