In today's lesson, I'll talk about risk assessment. By the end, you'll be able to understand what risk assessment is, you'll be able to discuss the approaches to risk assessment and be able to understand that not all risk assessments fit into your organization. Risk assessment, as we've discussed in the previous lesson, is really about overall security management and goes into the risk framework. Risk Assessment starts at the beginning, really, of any service or system implementation, in the system life cycle. So there are steps that need to be followed in order to ensure that the system cannot only run properly but without risk or take that risk into account. Most organizations start risk assessment right after a service has been running for a while. And why do we need to do that? Well, risk assessment actually needs to be a proactive process through the entirety of the risk management framework. We shouldn't just do it in the middle because things have changed on our service. We need to do it from the beginning concept of the service or system, all the way to when we destroy that service or that system because risk, as we've talked about previously in another lesson, has a very wide range of things that could actually go wrong. The risk process for NIST is pretty straightforward and you can deviate from this process somewhat, but let's talk about these steps. Step one, preparing. In a risk assessment, and keep in mind this isn't the risk management framework like we've talked about previously, but this is the risk assessment portion. So in the preparation for risk assessment, we have to identify the purpose of what we're trying to assess. We also have to identify the scope, identify the assumptions and constraints associated with the assessment, identify the sources of information to be used as inputs for the assessment and identify the risk model and analytic approaches of the risk assessment itself. Now in any data, in any computer model, whatever data that we get out is only good as the information that we put into it. So if we're looking at our overall risk assessment process, the preparation phase is really one of the most important because we set the stage for the rest of the assessment. So if we're looking at- we could go with a very small scope, we could look at a very large scope, but all that takes time and resources. So understanding why we are doing the assessment and the scope of the assessment is very important. Step 2 is to conduct the assessment. So we're going to identify the threat sources to whatever we're trying to assess, identify the threat events that could be produced, identify vulnerabilities. And vulnerabilities in this case could be vulnerabilities to the organization or with other aspects of the system or you're even stakeholders. The next is to determine the likelihood of the identified threat sources would initiate specific threat events and the likelihood that that event would actually be successful. Meaning that what is the likelihood of somebody breaking into a server if that server is protected on all different sides from firewalls and nobody knows the password to the server. Well, it could happen. But your risk is probably a very low. The likelihood is very low. Next is determining the adverse impacts to the organization, the organizational operations and the assets. And finally determining the information security risk as a combination of the likelihood of the threat happening and also any uncertainties associated with that risk determination. So as we conduct the assessment, we have to be thinking how each risk or each vulnerability could impact any which part of our risk management framework so, really, any part of the organization. So think about when you're conducting a risk assessment, how does this risk actually apply to any assets that we have, whether that's people assets, whether that's service assets financial not just computer assets but overall our bottom line. When we conduct this we have to look at every single likelihood of any threats that we may see. Third and really throughout the entire process, we need to communicate. We need to understand and communicate the risk assessment results to specifically senior management in the case or really the service owner and anybody, any stakeholders that are included in that overall process. And we need to share information developed in the execution of that risk assessment to support other risk management activities. So if we have one risk assessment on one system, how does that affect risk management or a risk assessment on another system? Are the two are the likelihood increased or decreased because of the assessment that we have on one system or another? Step 4 is maintaining. We need to monitor the risk factors identified in risk assessments on an ongoing basis not just when there's changes to the asset. And we also need to update the components of risk assessments to reflect the monitoring activities that are being carried out. So if we identify something that's happening on the server that we don't intend then we need to put that into a risk assessment. So let's look at an example of bandwidth for example. If we do an assessment of our overall network bandwidth and we say we have enough bandwidth for 100 users to be online and you release a new product and the Internet goes crazy about that product and you haven't taken into account that your bandwidth can only handle 200 people. What happens when the traffic from the marketing overtakes your bandwidth? That affects then the product to say, well this is really a good product. Everything is a domino effect so we have to make sure that risk assessments tie into each other and always are updated. So developing your own risk assessment is tough. And it is tough to understand all the threats all the vulnerabilities out there. Developing your own risk assessments within your own organization should be done but most of the formats still are going to hold true. So defining the scope, conducting the analysis including the likelihood and impact of risk analysis, report and recommend, and maintain as well.
