Has your organization performed a Risk Assessment?
Many organizations fail to keep current on Risk Management.
Often times risk management is only important after a costly incident occurs.
With little effort it’s easy to reduce your organizations risk exposure by
performing a Risk Assessment. A risk
assessment or risk analysis is a simple process of identifying the most values
assets, assigning a value to them, and then identifying the probability of
certain threat occurring. Once you have an inventory of assets in place and
have identified the most likely threats then you simply calculate a risk
ranking. The higher the risk ranking the more time, money, and effort is needed
on risk mitigation steps to prevent loses from occurring.
Here’s a simple and
valuable formula that your organization can use to identify and rank risks to
your organization.
Risk Ranking = (the likelihood of a vulnerability occurring)
X (Value of the Asset) – (the percentage of risk mitigation controls) + (the
uncertainty of knowledge of the vulnerability)
For example:
Let’s say that you have an Application Server that is used
by most of your workers and you also have a separate email server that your
workers use too. How do you determine which one has the most risk to the
organization?
|
Asset
|
Asset Impact
|
Vulnerability
|
Vulnerability Likelihood
|
Certainty of assumptions
|
Risk Mitigation
|
Risk Rating Factor
|
|
Application Server
|
50
|
Hardware failure
|
1
|
.9
|
0
|
=55
|
|
Mail Server
|
100
|
Hardware failure
|
.5
|
.8
|
.50
|
=35
|
You can see from this chart that the greatest risk is
associated with the Application Server. You can also see that unlike the mail
server there is no risk mitigation associated with the application server. The
conclusion is very simple; the organizations should spend effort on risk
mitigation for the Application server because the risk ranking is the highest.
For more information on Risk Management consult that
following resources:
The Institute of Risk
Management: http://www.theirm.org/
The Risk Management Society : http://www.rims.org
The Risk Management Association: http://www.rmahq.org
No comments:
Post a Comment