Identifying Potential Risks, Response and Recovery
Identifying Potential Risks, Response and Recovery
Identification of Potential Risks
Identification of the potential risks is the first method in the methodology of the risk management. Organizations makes use risk assessment plan to determine the degree of the possible threat and the risk related with an IT system. The output of this procedure helps in identifying suitable controls for eliminating or reducing risk through the process of risk mitigation. Risk is the function of the possibility of a specified source of threat exercising a specific possible vulnerability, and the subsequent impact of that unfavorable occurrence on the organization.
System Related information
Risk identification for the IT system needs acute understanding of the processing environment of the system. The person responsible for conducting risk assessment should therefore gather information related to system that includes:
Software and hardware.
Interfaces of the system like external and internal connectivity.
Data and system sensitivity.
System users.
Current topology of the network.
Security policies of the system.
Flow of information to IT systems (e.g. input and output of the system).
Technical, management and information controls used for the IT system.
Physical environment of security for the It system (e.g. policies for data center)
Implemented environmental protection for the IT systems dealing with environment (e.g. humidity control, temperature control, pollution control and power control).
Identification of Threat
A threat is the likely for a specific source of threat to effectively practice a specific vulnerability (Stoneburner et.al, 2002). The vulnerability is a flaw that can be inadvertently caused or purposely exploited. The source of threat does not offer a risk when there is no possibility for the vulnerability of the threat that can be practiced.
Identification of Source of Threat
The purpose of this step is the identification of the potential source of threat and collecting the list of potential sources of threat that are relevant to the IT system under consideration. The common sources for threat can include:
Natural threat sources involve earthquakes, floods, tornadoes and other such occurrences.
Human threat sources involve unintended actions (unplanned entry of data) or intentional acts (unauthorized accessing to private information, spiteful uploading of software, network attacks).
Environmental threat sources involve pollution, leakage of liquid, failure of power for long time.
Identification of Vulnerability
The threat analysis for an It system should include analyzing the vulnerabilities related to the environment of the system (Guttman, 1996). The objective of this step is to create a list of vulnerabilities for the system that could take advantage from potential sources of threat.
The vulnerability is the weakness of flaw in the procedures of security for the system, implementation, design, controls that could be practiced internally (triggered accidently or exploited intentionally) and lead to security violation or the violation of the policy fro the security of the system.
Response to Potential Risks
Actions Prioritization
Depending upon the levels of risks, the prioritization of control actions is done. In resource allocation, highest priority must be given to items of risk that are unacceptably top risk rating. These threats/vulnerability sets will need on time security action to safeguard the mission and interest of an ...