Académique Documents
Professionnel Documents
Culture Documents
This article introduces you to four commonly used risk assessment methodologies in information risk management. It describes the features of these methodologies and the techniques for implementing them. It also highlights the benefits of each methodology and specifies the type of organization each methodology is geared toward. You can model the risk assessment plan for your company on the methodology that best matches your requirements. Alternatively, you can customize or combine the techniques these methodologies prescribe to develop a practicable risk assessment plan.
Introduction
Risk assessment is an important phase in the risk management process. This phase includes three key activities: risk identification, risk analysis, and risk evaluation. There are various risk assessment methodologies that an organization can use to assess risks to its operations and assets. Using risk assessment methodologies, you can identify a risk and determine its severity, probability, and impact. Accordingly, you can decide whether to ignore a risk or spend additional effort to mitigate it. Using these methodologies, you can also determine ways to reduce the impact of unavoidable risks to tolerable limits.
RFA
RFA is a risk assessment methodology that was developed at Los Alamos National Laboratory, also known as LANL, based in the United States. This methodology helps you to identify the fundamental reasons that eventually hamper a project. These reasons are mostly related to time, budget, scope, and resource constraints in a project. The prime consideration in the RFA process is the possible impact that risks will have on operations and assets and not on the possibility of occurrence. Using RFA provides several benefits. It allows you to assess risk in a broad range of projects measure the risk and assign values based on its severity prioritize the risks based on risk-factor ranking find the appropriate risk-mitigation method for reducing the risks due to a particular risk factor document results for risk-reduction methods that are specific to a particular risk factor, and gather input data for quantitative risk assessment Techniques
xlibrary.skillport.com/courseware/Content/sp_cisn_a04_it_enusb.htm?AICC_URL=http%3A%2F%2Fpvsp72gbe.skillport.com%2Fskillportbe%2Fspacm%2 1/3
2013-11-16
The RFA technique involves these steps: 1. identifying all project-related tasks and components 2. identifying relevant technical risks associated with the project 3. developing a ranking scale for each risk factor 4. ranking every risk in each of the project activity to understand the impact of the risk 5. adding up the results of risk-ranking across activities in each project 6. recording these results and identifying possible steps to reduce the risk, and 7. presenting the identified risk-reducing steps to the project team for assessment You need to consider four types of risks when identifying the risk factors: Lack of funds Availability of sufficient funds at the right time is necessary to complete a project. Delays in receiving funds can adversely affect the schedule of project activities. It may eventually result in time and resource constraints. Consider that you're implementing an incident management application to manage IT security incidents in your company. You may need to conduct employee awareness training on using the application. In this situation, there is a risk of senior management not approving sufficient funds for conducting training if you're unable to justify the training benefits. Escalation of cost This risk includes the cost overruns in designing and operating the project. Cost overruns occur when the project planning is inaccurate or when its implementation is not done properly. While calculating the project cost, you need to consider various possibilities, such as the inadequate resources, technical failure, unexpected delays, and natural threats. For example, unplanned failure of many computers in your organization can result in interruptions in the business. So you may need to incur additional costs to ensure normal operation. Delays in the project schedule This risk is associated with planning of project activities. The acceptable level of delays in the activities must be considered while determining the project schedule. A schedule risk may arise because of delay in approval of activities, lack of resources, or technical failures. Faults in technology Technical risks may occur because of faulty design, obsolete technology, or changing regulatory requirements. These issues can affect the performance of resources during the operation. For example, inappropriate software and network connections can pose technical risk for the project.
2013-11-16
After identifying the system characteristics, you determine the possible threats and vulnerabilities, and analyze their impact on the system. Next, you evaluate the control measures. The controls are evaluated to test how well they protect the information assets against risks that arise when organizational vulnerabilities combine with threats. It helps find the gaps between the existing and desired levels of security of the information assets. For example, IT hardware and software should have technical controls, including password security, encryption of data, and hacker detection software. After evaluating the control measures, you establish the possibility of a threat getting converted into a risk, and its impact on the organization's operations. Then, you establish the risk and define the control measures to be used to handle those risks. Finally, these findings, that is, the risks and the defined controls, are documented for future use.
FAIR
FAIR is a risk assessment methodology that enables you to understand a risk by breaking it down into several components and analyzing each component in detail. This method involves detailed analysis of the risk and its control measure. The key use of FAIR is to create a framework to identify and assess methods to secure information assets that are prone to a risk. It helps you customize your procedures according to the severity of risks faced. It also helps the senior management make decisions based on the financial implications of the risks, and define control measures to be used. Techniques FAIR provides a mathematical model that helps in quantifying the impact that a combination of factors will have on the organization. It also provides a simulation model to extrapolate the impact of these risk components to bigger and complicated risk situations.
PRA
PRA is a method used for risk assessment in industries, such as oil exploration, nuclear power plants, and aeronautics that use complex technological operations. These industries typically involve complex engineering operations and require huge investments. Techniques There are various tools available for performing the PRA, such as event-tree analysis, fault-tree analysis, human-reliability analysis or HRA, and common cause failure analysis or CCF. HRA is used to assess human errors, whereas CCF is used to assess the systems which might cause failure. Once the PRA is complete, the information security manager decides on the risk mitigation strategy to be used to manage the risk impact on the business operations.
Summary
Risk assessment is the first step in the risk management process. There are four commonly used risk assessment methodologies RFA, NIST, FAIR, and PRA. These methods help you calculate the risk and devise the control measure, based on the severity and the type of the risk your organization encounters. With the knowledge of the various risk assessment methodologies, an information security manager should be able to build a security management program specific to business needs.
xlibrary.skillport.com/courseware/Content/sp_cisn_a04_it_enusb.htm?AICC_URL=http%3A%2F%2Fpvsp72gbe.skillport.com%2Fskillportbe%2Fspacm%2
3/3