 Security risk assessment is fundamental to the security strategy of any organisation. The security placed on any system should always be commensurate with its risks. In carrying out a security risk assessment, it is essential to ensure controls and expenditure are commensurate with the risks to which organisations systems are exposed
In order to conduct a risk assessment of any environment, one has to be aware of and evaluate the threats and risks that may accrue if these threats and or vulnerabilities are exploited. The difference between threats and vulnerabilities is threats have the potential to harm an organisation, while vulnerabilities are weaknesses that may be exploited.
The extent of the information security deployed by an organisation on its systems should be commensurate with the degree of risk associated with the institution's systems, networks, and information assets.
Performing a sound risk assessment is critical to establishing an effective information security program. The risk assessment provides a framework for establishing policy guidelines and identifying the risk assessment tools and practices that may be appropriate for an institution. Organisations must have a written information security policy, sound security policy guidelines, and well-designed system architecture, as well as provide for physical security, employee education, and testing, as part of an effective program.
Our Security Risk Assessment offering includes the following:
- Identifying mission-critical information systems, and determining the effectiveness of current information security programs.
- Assessing the importance and sensitivity of information, and the likelihood of both internal and external breaches (e.g. external hack attacks and authorised staff misusing information). Our review includes appropriateness of access controls and other security policy settings.
- Assessing the risks posed by electronic connections with business partners. This is necessary as your business partner may have poor access controls that could potentially lead to an indirect compromise of your systems.
- Determining legal implications and contingent liability concerns associated with any of the above. For example, if hackers successfully access your system and use it to subsequently attack other organisations, your company may be liable for damages incurred by the party that is attacked.
- Ensuring expenditure on security is commensurate with the threat and or vulnerability it may be subject to.
|
