Add to collection(s) Add to saved
  1. No category
Uploaded by daniel Moronge

security risk 2

advertisement 
. Find all valuable assets across the organization that could be harmed by threats in a way that results in
a monetary loss. Here are just a few examples:
• Servers
• Website
• Client contact information
• Partner documents
• Trade secrets
• Customer credit card data
2. Identify potential consequences. Determine what financial losses the organization would suffer if a
given asset were damaged. Here are some of the consequences you should care about:
• Data loss
• System or application downtime
• Legal consequences
3. Identify threats and their level. A threat is anything that might exploit a vulnerability to breach your
security and cause harm to your assets. Here are some common threats:
• Natural disasters
• System failure
• Accidental human interference
• Malicious human actions (interference, interception or impersonation)
4. Identify vulnerabilities and assess the likelihood of their exploitation. A vulnerability is a weakness
that allows some threat to breach your security and cause harm to an asset. Think about what protects
your systems from a given threat — if the threat actually occurs, what are the chances that it will
actually damage your assets? Vulnerabilities can be physical (such as old equipment), problems with
software design or configuration (such as excessive access permissions or unpatched workstations), or
human factors (such as untrained or careless staff members).
5. Assess risk. Risk is the potential that a given threat will exploit the vulnerabilities of the environment
and cause harm to one or more assets, leading to monetary loss. Assess the risk according to the logical
formula stated above and assign it a value of high, moderate or low. Then develop a solution for every
high and moderate risk, along with an estimate of its cost.
6. Create a risk management plan using the data collected. Here are some sample entries:
7. Create a strategy for IT infrastructure enhancements to mitigate the most important vulnerabilities
and get management sign-off.
8. Define mitigation processes. You can improve your IT security infrastructure but you cannot eliminate
all risks. When a disaster happens, you fix what happened, investigate why it happened, and try to
prevent it from happening again, or at least make the consequences less harmful. For example, here is a
sample mitigation process for a server failure:
9. Event (server failure) → Response (use your disaster recovery plan or the vendor’s documentation to
get the server up and running) → Analysis (determine why this server failed) → Mitigation (if the server
failed due to overheating because of low-quality equipment, ask your management to buy better
equipment; if they refuse, put additional monitoring in place so you can shut down the server in a
controlled way)
Congratulations! You’ve finished your first risk assessment. But remember that risk assessment is not a
one-time event. Both your IT environment and the threat landscape are constantly changing, so you
need to perform risk assessment on a regular basis. Create a risk assessment policy that codifies your
risk assessment methodology and specifies how often the risk assessment process must be repeated.
Watch our recorded webinar on IT risk assessment to learn how Netwrix Auditor can help you identify
and prioritize your IT risks, and know what steps to take to remediate them.
Cybersecurity Assessment Checklist - banner image
Previous
Next
Related best practices
NTFS Permissions Management Best Practices
Active Directory Delegated Permissions Best Practices
User Termination Best Practices
Netwrix Solutions
Netwrix Freeware
Audit
Data Classification
Support
Company
© 2022 Netwrix Corporation
Privacy Policy
EU Privacy Policy
EULA
Modern Slavery Statement
Corporate Headquarters: 300 Spectrum Center Drive,
Suite 200 Irvine, CA 92618
Phone: 1-949-407-5125 | Toll-free: 888-638-9749
LinkedIn Twitter Facebook Youtube Spiceworks Instagram
We use cookies and other tracking technologies to improve our website and your web experien
Sign In
Subscribe
INNOVATION
How To Defend Your Information Systems Against Different Types Of Risks
John Giordani
Forbes Councils Member
Forbes Technology Council
COUNCIL POST| Membership (fee-based)
May 6, 2021,08:10am EDT
CISO at NCHENG LLP Certified Information Systems Auditor (CISA) with extensive experience in building
internal cybersecurity practices.
Lock
GETTY
Companies that rely on information technology systems such as computers for their business practices
are expected to know their systems' risks. A security breach is the main risk associated with information
systems, as it comprises threats such as malware, spyware, denial-of-service, password theft, viruses,
hardware and software failure, phishing and hacking. In essence, a security breach is any form of
unauthorized access to an individual or a company.
Before implementing information system controls, a company should undergo a risk assessment process.
The process involves an analysis of the chance of loss associated with a certain threat and should be
followed up with the safeguarding of assets prone to certain vulnerabilities.
This is important in evaluating possible threats and planning out the financial resources needed for
those threats. Risk assessment is important because it establishes effective policies to deal with risks
and lays out strategies that are cost-effective in implementing those policies. The assessment gives
decision-makers information about the factors that adversely affect a company's operations and
outcomes. Also, it informs those concerned with making informed decisions about the ways they can
mitigate those risks. Companies can opt to carry out a qualitative or a quantitative risk assessment to
establish the risks affecting their operations.
Combating Risks In A Company
Risk management is a step-by-step method of identifying, analyzing, communicating and controlling
risks in a company. The management of risks in information systems includes five typical methods:
avoiding, reducing, transferring, retaining or utilizing the risk at hand:
• Risk avoidance involves eliminating the risk's cause or the consequences related to the risk.
• Risk reduction involves limiting the risk by establishing measures and controls that will reduce the
threat's vulnerability.
• Risk transferring involves making other selections that will help compensate for the loss being
considered.
• Risk retaining involves laying out a plan that will manage the risk. Thus, it involves making controls a
priority, as well as implementing and maintaining them.
• Risk utilizing involves research and acknowledgments, thus lowering the risk of loss by acknowledging
the flaws and vulnerabilities associated with the risk. Research controls are also useful in correcting
vulnerabilities.
Companies can manage risks by creating a security policy that will assess the state of all of their online
platforms, such as their websites and social media platforms. This policy should consist of prevention
measures and the detection of attackers. These policies should also address physical security to ensure
that unauthorized people do not access infrastructure, minimizing insider attacks.
Companies can conduct staff training for new and existing staff members on technology procedures,
policies, and strategies for managing IT risks. With this, your staff can learn how to handle infected
emails, secure the information of customers, and act during a security breach.
The company should also consider insurance as it relates to these risks, as it is hard to secure systems
from all possible risks. Insurance coverage is essential in risk management and recovery planning due to
increased and emerging risks.
When protecting against information system risks, consider physical actions you can take, including
securing computers, wireless networks and servers. Additionally, you can utilize digital tools such as
firewalls, anti-spyware software and antivirus protection to avoid malicious attacks. Always update your
software to the latest version available to avoid system failures — and make use of data backups, such
as remote storage and off-site storage, to avoid the loss of sensitive data.
Securing passwords with strong authentication, including multi-factor authentication, is also essential.
This will help you secure sensitive systems against illegal access, including access from attackers who
disguise themselves as legitimate users or programs.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology
executives. Do I qualify?
Follow me on Twitter or LinkedIn. Check out my website.
John Giordani
John Giordani has extensive experience in cybersecurity and information assura… Read More
Editorial Standards
Corrections
Reprints & Permissions
More From Forbes
8 Industry Experts Share Current And Emerging Tech Solutions For Supply Chain Management
Can Cloud-Based Technologies Help Bridge The Labor Gap?
Balance Agility And Resilience: How Retailers Can Optimize Inventory Throughput
The Metaverse: Driven By AI, Along With The Old Fashioned Kind Of Intelligence
Why Secure Code Drives Customer Satisfaction
Four Tips For A Great Company Culture
A 'Phygital' Perspective On The 21st Century: Welcome To The Metaverse
Why The Future Of Corporate Sustainability Starts With Transportation
© 2022 Forbes Media LLC. All Rights Reserved.
AdChoicesPrivacy StatementDo Not Sell My Personal InformationTerms and ConditionsContact UsReport
a Security IssueJobs At ForbesReprints & PermissionsForbes Press RoomAdvertise
Related documents
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
Apocalypse Assignment
Apocalypse Assignment
Risk Analysis - Information Systems and Internet Security
Risk Analysis - Information Systems and Internet Security
This worksheet
This worksheet
1210900057 RISK MANAGEMENT SOURABH HARSH MBEM 122
1210900057 RISK MANAGEMENT SOURABH HARSH MBEM 122
Download
advertisement