A risk assessment is used to identify risks and their potential impact. After completing it, it will help an organization identify where they need to put in security controls. It also helps with prioritization of the identified risks, and shows the analysis team which risks should be dealt with first. The third major thing that risk analysis accomplishes is that it will show a company what resources and how much of a particular resource should be used to protect against individual identified risks. Four main goals exist in information security risk analysis. First, you have got to identify your assets and what value they bring to the company or organization. Next, you find out what your potential threats are. After that you figure out what the probability of each of the threats occurring is. Finally you calculate what the cost of protecting against the threat will be, and determine if it is worth the resources you put in to protect each asset.
One term that I found while reading the section that I though was interesting was project sizing. I do not recall ever learning about this, so I thought it would be helpful to put it here...it simply means determining which assists and threats should be looked at prior to initiating risk analysis.
No comments:
Post a Comment