CyberSecurity Risk Assessment

CyberSecurity Risk Assessment

In this tutorial, we will understand about the six steps to a cybersecurity risk assessment.

1.Characterize the system (Process, Function or Application)

Characterizing the system will help you determine viable threats. This should include among other factors

  • Whats is it?
  • What kind of data does it use?
  • Who is the vendor?
  • What are the internal and external interfaces that may be present?
  • Who uses the system
  • What is the data flow where does the information go?

2. Identify threats ;
there are some threats that are going to be in every risk assessment, however, depending on the system, additional threats could be included. Common threats types include :

  •     Unauthorised access
malicious or accidental this cloud be from a direct tacking attack, compromised, Malware infection or internal threat.
  • Misuse of information or Privilege by an authorised  user : 
This could be a result of unapproved use of data or changes made without approval.
  • Data leakage or unintentional exposure of information 
This Include permitting the use of unencrypted USB and or CD-ROM without restrictions, Deficient paper Retention and destruction practices, transmitting non-public personal Information and PPI over unsecured channels or accidentally sending sensitive information to the wrong recipient. 
  • Loss of data :
this can be the result of poor replication and backup processes.
Distribution to Service or Productivity

3.Determine inherent risk and impact:
This is done without considering your control environment factoring in how you characterize the system, you determine the impact on your organization if the threat was exercised.
EX. High Impact could be substantial
Medium Impact would be damaging but recoverable.
The low impact would be minimal or non-existent

4. Analyze the control Environment:
you typically need to look at several categories of information to adequately assess your control environment. Ultimately you want to identify threat prevention, mitigation detection or compensation controls and the relationship to identify threats. A few examples include: 

  • Organisation Risk Management controls
  • User provisioning controls 
  • Administration Controls
  • User Authentication Controls
  • Infrastructure data protection Control
  • Data Center Physical &  Environmental  Security Controls
  • Continuity of Operations Controls
Article publication in Progress ; 
Previous Post Next Post