Conducting Risk Assessment to Achieve Information Security Goals Paper Example

Introduction

Risk assessment refers to the process of identifying the possible hazards and analyzing what can happen in case a hazard occurs (Federal Emergency Management Agency, n.d.). In risk assessment, it is essential to identify danger, assess the vulnerability of the assets, then the impact analysis. IT security may result in financial loss to an organization. The main objectives of IT security include authorized use, confidentiality, availability, and data integrity (Iowa State University, n.d.). Through these objectives, it is easier to prioritize risks.

According to Boot (2015), Joe Dunford said that "Cyber threats to U.S. national and economic security are increasing in frequency, scale, sophistication, and severity of the impact." There are different methods of cyber-attacks, and their targets are also expanding. It is important to conduct a risk assessment in every organization to identify the existing risks and the programs required to mitigate them (Gusmao et al., 2016). Additionally, it is essential to assess the security risk of an organization to enhance efficient enterprise security strategy. There are various types of assessment, and they mitigate the influence of security breach or even more which makes it essential to prevent the breach from happening. According to Cusay (2017), "Done well and used correctly, an IT security assessment can also be an invaluable tool for justifying future security spending."

The following are the needed steps in performing Information security risk assessment:

• Identify assets

Most of the information technology models have about for to ten steps, but they begin with identifying a system or asset. From that point, it is easy to identify threats, the possible impacts, and establish a mitigation plan (Causey, 2013). This process does take place in two different points including when the system is employed in a firm and during a predetermined interval that is based on internal policy. However, the problem with this process is that the threat landscape does change meaning that new exploits and vulnerabilities are released on a daily basis. Therefore, reviewing the system after a specific period of years might not be effective in keeping data and system protected.

• Identify threats

The next essential step is using data or information that was discovered during the establishment of a profile in determining the risks that might exist in any system. In this step, it is essential to understand the way notions of "vulnerability," and "threats" connect (Causey, 2013). In IT threat refers to the possibility of an attacker taking advantage of a specific vulnerability. The main sources of threats in IT include internal and external. According to Causey (2013), "Based on the data from the profiles you have built, you can identify certain specific threats to your organization's systems."

• Identifying vulnerabilities

This is the third step in conducting a risk assessment. Identification of vulnerabilities is the central challenging aspect in regards to IT security in the process of risk assessment. The process is not challenging because it is hard to implement. Instead, it is because the process should be performed often (Causey, 2013). Most organizations rely on automated tools including application scanners or network scanners which helps in identifying vulnerabilities.

• Develop metrics

Although risk assessment in IT security might be complex and difficult to exercise, organizations need to get to a position in which they can utilize simple formula in assessing their risk. The formula is asset multiples by the vulnerability of risk multiplied by threat (A * T * V = R) (Causey, 2013).

• Consider historical breach data

There have been headlines on huge losses and massive breaches of data for the past years. Even though the current assessment process is efficient, people do spend much effort and time in IT security trying to address risk which may not be realized (Causey, 2013). It is essential to take lessons in relation to cost and influence from the different past breaches in the firms and use them in a risk formula.

• Calculate cost

It is easy to develop a specific risk and apply to the other cost factors using influence severity matrix. An example that can be easily used is SQL injection which is usually levied against the web interfaces having a database backends; the formula can be applied to a system called database and web application (Causey, 2013). Although this method makes different assumptions, it can be used in comparing the cost of risk realization with the cost of risk mitigation.

• Perform fluid risk to asset tracking

It is essential for security assessment to remain fluid and continue considering the threat landscape that changes almost every time. One of the ways of doing this is using the method of tracking threats that are referred to as risk to asset tracking (Causey, 2013). This method is almost like the traditional method of assigning threats to the assets.

Conclusion

Cybersecurity is a serious issue in the united states. In a recent Pew Poll, it was found that the Americans are more afraid of cybersecurity issues as compared to the rise of China, climate change, or Iranian weapons (Singer, 2014). The reason is that there are a lot of growing threats in the cyber world. The conditions of risk assessment do change just like an agency's business environment. Therefore, it is necessary to review risk assessment frequently or annually to reflect on the changes an even improve the assessment's validity (Virginia Information Technologies Agency, 2006).

References

Boot, Max (2015, Jul 12). What Is the Greatest Threat to U.S. National Security? Commentary. Retrieved from: https://www.commentarymagazine.com/american-society/military/greatest-threat-to-national-security

Causey, B. (2013, Jan), How to Conduct an Effective IT Security Risk Assessment. Retrieved from: https://security.vt.edu/content/dam/security_vt_edu/downloads/risk_assessment/strategy-how-to-conduct-an-effective-it-security-risk-assessment_2411470.pdf

Federal Emergency Management Agency (FEMA) (n.d.). Risk Assessment. Retrieved from: http://www.ready.gov/risk-assessment

Gusmao, A. P. H., e Silva, L. C., Silva, M. M., Poleto, T., & Costa, A. P. C. S. (2016). Information security risk analysis model using fuzzy decision theory. International Journal of Information Management, 36(1), 25-34.

Iowa State University (n.d.). IT Information Technology Risk Assessment. Retrieved from: https://www.it.iastate.edu/policies/risk

Singer, P.W. (2014, Jan 22). What Americans should fear in cyberspace. Los Angeles Times. Retrieved from: http://www.latimes.com/opinion/op-ed/la-oe-singer-cyber-security-20140122-story.html#ixzz2rB3lXtNM