IT risk security assessment methodology
IT RISK SECURITY ASSESSMENT METHODOLOGY
ITrisk security assessment methodology
ITrisk security assessment methodology
Theheart of any assessment of IT security risk framework is theobjective of that assessment, the repeatable methodology, whichgathers the inputs of the security risks of that specific business,the threats involved, the controls and the vulnerabilities. Theassessment will then produce a magnitude capable of being discussed,being reasoned about, and being treated well. Various assessmentframeworks do follow structures that are similar even though theydiffer in their step details and descriptions. However, all the riskassessments of the IT security risk do follow a general pattern ofthe identification of both the stakeholders and assets, understandingof the requirements and needs of the security, enumeration of thethreats, identification and assessment of the controls effectivenessand calculation of the security risks based on the compromiseinherent risks and the probability that the identified threats willbe realized (Biringer,Matalucci and O`Connor, 2016).
Aspart of our methodology, every part of the infrastructural technologyof the agency will be assessed for the risk profile. From thatparticular assessment, a determination will be made to efficientlyand effectively assign the agency of Bureau of Intelligence andResearch money and time, which will help in achieving the best andmost appropriate general policies of security. The process of doingthe risk assessment can sometimes be very difficult and complicatedtherefore we will consider both secondary and other different actioneffects when the decision to address the security for differentresources of IT is being made (Biringeret al., 2016).
Dependingon the complexity size of the business environment of the IT,sometimes it is clear that whatever is required is never an itemizedor thorough assessment of the risks and values, but just a generalarrangement. Determination of the allocation of the securityresources will help us integrate various key risk appetites of themanagers within the agency of Bureau of Intelligence and Researchsince they help in the understanding and comprehending of thesecurity risks of the agency and are very important in thedecision-making process too.
Everybusiness or organization is always different therefore, the decisionon the kind of risk assessment applied to the agency will be entirelydependent on the agency (Malaysia,2015). Since the requirements of the security requirements of the agency aregeneral prioritization, a simple security risk assessment approachwill then be taken. The simplified risk assessment approach will bevery significant in the generation of an overview to help in guidingthe decision making process, which further helps in ensuring that theassessment is more in-depth (Watkins,2014).
Asan employee with the Government Security Consultant, my riskassessment for the Bureau of Intelligence and Research will analyzethe correlation existing among the threats, assets, andvulnerabilities within the agency. The following is the basicmethodology used for the agency of Bureau of Research andIntelligence:
Identificationof the stakeholders and the assets–The team will define the scope of the assets, the agency owner ofthe assets, everyone responsible for technological aspects of theagency and finally the assets security controls.
Analyzingthe impact –The risk assessment will then understand the magnitude and dimensionof the impact the whole agency has on the government after making anassumption that the assets are all compromised. Integrity,confidentiality, and availability are some of the dimensions of thecompromise.
Identificationof the threats –The team will then identify various ways the assets of the agency canactually be compromised and how they can have an impact on thegovernment. Such threats arise from the exploitation of thevulnerabilities and weaknesses of the agency.
Investigationof the vulnerabilities –The list of threats is then used to analyze the flaw processes of theagencies and the technical components.
Analysisof the controls – Theteam will then look at the process controls and the technicalcontrols that surround the assets to help in the consideration oftheir efficiency.
Biringer,B. E., Matalucci, R. V., & O`Connor, S. L. (2016). Securityrisk assessment and management: A professional practice guide forprotecting buildings and infrastructures.Hoboken, N.J: Wiley.
Malaysia.(2015). TheMalaysian public sector information security risk assessmentmethodology (MyRAM) handbook.Putrajaya: Malaysian Administrative Modernisation and ManagementPlanning Unit (MAMPU.
Roper,C. A. (2013). Riskmanagement for security professionals.Boston: Butterworth-Heinemann.
Smith,J. A., & LOGISTICS MANAGEMENT INST BETHESDA MD. (2013). RiskAssessment Methodology for EDI Unclassified/Sensitive InformationSystems.Ft. Belvoir: Defense Technical Information Center.
Watkins,S. G. (2014). InformationSecurity Risk Management for ISO27001.Ely: IT Governance Ltd.
No related posts.