What is Risk Assessment?
Risk assessment is the process of identification of risks followed by the analysis and evaluation. In an ISO 27005 perspective risk is computed by identifying, analysing and evaluating the extent that a particular entity could be affected by some situation or incident adversely. Factors like likelihood and impact determine the risk potential. Instead of one time activity, risk assessment is actually an ongoing process and could follow qualitative and quantitative approach. It is also a subset of Risk Management process as the output of risk assessment is used as input for Risk Treatment.
The type of risks that fall into IT are broadly belong to either two categories
- risks to business processes which are dependent upon IT infrastructure like applications, IT processes & Systems
- Security risks to Information systems; couple of the risks fall into both categories.
To understand “risks to business processes which are dependent upon IT Infrastructure”, let’s take an example of an organization who intends to implement a new IT system. The choice of software solutions may be the key decision. Out of several ERP packages in market this organization has a task of choosing of implementing the ERP solution that should meet most of the business requirements and should fall into the budget.
Further arising questions could be what other software should be procured, should they go for open source to save money but usually these solutions are without support or they should go ahead with the purchase of a software which has many functionalities and solid support but comes at a high cost? If these choices are incorrect, the consequences will not be favourable to the organization. The associated risks are strategic risks and these risks will be taken with the intention of achieving benefits. Correct strategic decisions deliver benefits that result in achievement of the upside of risk.
What are information security risks?
Information security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations. So information security risk needs to be identified, estimated and prioritized.
An example of Information security risk would be the possibility of loss of Integrity of sensitive information. Integrity of information can be impaired by various causes, such as by manipulation, misconduct of individuals, misuse of applications, software failures or transmission errors. Many causes could be linked to the aging of data storage media, or loss of information which could occur. During data transfer transmission errors may occur, malicious software can destroy or modify entire databases, due to incorrect input, undesired transactions may occur, which often remain unnoticed for a long time. Attackers may try to manipulate data for their purposes, e. g. to gain access to other IT systems or databases. If the information loses integrity, it can cause a variety of problems: In the simplest case, information cannot be read and hence further processed or data can be accidentally or intentionally falsified to the extent that false information is passed on. In this way transfers with wrong amounts, for instance, or to the wrong recipient can be triggered, the sender data in an email can be manipulated and many more. If encrypted or compressed data loses its integrity it cannot be decrypted or respectively decompressed under certain circumstances. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur.
Risk Identification Process
According to ISO 31000:2009 standard, risk Identification is the process of finding, recognizing and describing risks. Risk identification involves the identification of risk sources, events, root causes and their effects. Risk could be discovered accidentally, real life experiences, discovered by imagination, past observations, data analysis, and derived from expert opinions. A risk source is an element which alone or in combination has the intrinsic potential to give rise to risk. An event is occurrence or change of a particular set of circumstances. An event can be a single occurrence, combination of multiple occurrences together or sequentially.