Due to the amount of security threats out there many organisations who felt reluctant in spending a good amount of money to improve the security system of their organisation have changed because of the recent information of the impact of a security breach to multinational organisations or rival organisation via different means. An example is the Sony security breach incident where hackers where able to infiltrate the security system of Sony gaining access to the personal information of Sony’s customers.
Let’s face some facts here carrying out a proper risk assessment (identification and analysis of the threats, vulnerabilities and risks to any given organisation) the security system of any organisation should be managed properly. Risk assessment involves 7 Major steps shown below:
- Identifying the assets; compiling all the assets in the organisation, which can be done using the asset register. These assets would have an asset number, location, type etc.
- Classifying the assets; this classification is based on the asset value. Some assets might have high business value but low financial value and vice versa.
- Identify the threats and vulnerabilities in the assets. This information could be found from past experiences, basic information about the organization or from public sourceslike the Internet.
- Identify the impacts on the organisation if these threats interact with the vulnerability.
- Identify the probability and frequency with which these incidents occur in the organization.
- Identify the impact factor, which relates to the seriousness of these impacts.
- Identify the risk factor, which is the probability and frequency multiplied by the impact factor.
After a risk assessment is carried out properly an organisation then chooses one risk assessment methodology which suites their organisation which might be CRAMM (CCTA Risk Analysis and Management Method), OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), NIST (National Institute of Standards and Technology) or COBIT (Control Objectives for Information and Related Technology).
When a suitable risk Methodology is chosen for an organisation it is followed by a risk framework (which determines the impact factor of a threat to an organisation), asset classification (classification of assets in an order of importance to the organisation) and risk rating (the chances of a particular risk to an organisation occurring).
Most Organisations successfully carry out these risk assessments implementing the necessary security measures required but they fail to educate their employees on their impact of failing to adhere to set rules by the organisation in order to keep their business running. The Video above says it all. Some authors would say people are the weakest link when it comes to managing the security system of any organisation.
Aagedal, J., Oslo den Braber, F., Dimitrakos, T., Gran, B., Raptis, D., & Stolen, K. (2002).
Modelbased Risk Assessment to Improve Enterprise Security. Enterprise Distributed Object Computing Conference, 2002. EDOC ’02. Proceedings. Sixth International. IEEE Xplore.
Alberts, C. J. (2003). Managing information security risks: the OCTAVE approach. Addison-Wesley
Alberts, C., & Dorofee, A. (2001). An Introduction to the OCTAVESM Method. Retrieved december
10, 2012 from http://www.cert.org/octave/methodintro.html
Australia, G. o. (2010). Event safety Risk assessment. Event safety Risk assessment sheet .
The IT Governance Institute. (2004). COBIT student Book. COBIT student Book
CRAMM. (2011). How CRAMM Works. Retrieved december 6, 2012 from http://www.cramm.com:
Panda, P. (2009). The OCTAVE Approach to information Security Risk Assessment. Retrieved
december 11, 2012 from http://www.isaca.org
Greene, Tim. ‘Worst Security Breaches Of The Year 2014: Sony Tops The List’. Network World. N.p., 2015. Web. 11 Mar. 2015.