Friday, July 22, 2011

An Example Of Risk Assessment


Risk Assessment Form or Risk Assessment Template must be created as a standard form used to assess the security risk. The results of the risks assessment must be registered together with the control the management need to take action to. The following paragraphs explains the Sample Risk Assessment.
A methodical security risk assessment is used to identify the security requirements. Before discussing the Sample Risk Assessment using common Risk Assessment Form, the following is short description about the systematic consideration in assessing the risk security in the organization.
  1. The business harm likely to result from a security failure, taking into account the potential consequences of a loss of confidentiality, integrity or availability of the information and other assets;
  2. The realistic likelihood of such a failure occurring in the light of prevailing threats and vulnerabilities, and the controls currently implemented.
The results of this security risk assessment must be registered using the following Risk Assessment Form (as a Sample Risk Assessment) that will help guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks. The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the organization or individual information systems.
To provide a sample risk assessment, the previous scenario about networking connection between the Mining office and the HR building in Guinea Smelter as in the networking diagram below.
Sample risk assessment - network diagram
Sample risk assessment - network diagram
For the purpose of this sample risk assessment using the above network diagram, the security risks that will likely impact to the business continuity need to be identified. All of the risks must be registered in the following Risk assessment form.
Sample Risk Assessment - Table
Sample Risk Assessment - Table
click for larger image Or Click the disaster recovery plan template in pdf file here.
The risks
Identify all the possible risks that will likely impact to the business and in this sample risk assessment using the above network diagram the risks can be identified as follows:
Risk #1 the uplink cable
  1. Business function: Single uplink backbone cable connecting both Mine office and HR buildings.
  2. The threat: Backbone Cable Failure
  3. Consequences: The computers in the Mine building will be disconnected from all the network resources and network application
  4. Likelihood: Possible.
  5. Existing controls: Protecting the network cable with a metal pipe and run underground buried around 30 cm depth.
You still need to fill-in the other columns: Consequence rating; Likelihood rating; Level of Risk and Risk Priority. However, the following legends should be defined that should fit to your business environment:
Consequence
LikelihoodLevel of RiskRisk Priority
High: $2M impact on the organization or serious strategy impact1 Highly possibleHighLarge degree of impactHigh Risk
Medium: $500K – $2M impact on the organization or significant operating impact2 PossibleMediumMedium degree of impactMedium risk
Low: $500K impact on the organization, tactical impact on the operations3 LikelyLowMinimal impactLow Risks
4 Not very likely
5 Never
In this sample risk assessment, the “Possible” entry is in the Likelihood column in (refer to the above Risk Assessment Form) and “Medium Risk” entry is in the Consequence column.
The “adequacy of existing control” column must describe the current control, in this sample risk assessment the control is not good enough to protect network cabling from damage since the cable is only protected inside the metal pipe that is run underground with only 30 cm depth. Besides, above the cable is a roadway for light vehicles.
Beside the control, the consequence will result a significant operating impact to all users in Mine building. This will disrupt the business continuity with the possible impact of disconnecting all the network resources and network applications.
You can assess the risks of other critical items based on the above network diagram such as WAN connection link; the LAN switches, andperimeter routerActive directory DC serverdomain name serversDHCP server and other file servers in HR building. By applying this sample risk assessment you can also develop security risk assessment for your LAN networking (including your wireless LAN) as well as WAN networking(including frame relay networkor ISDN network, or even your PPP connection between remote sites) critical assets and take appropriate control to eliminate the risks or at least minimize the impact. All the possible risks must be registered using sample risk assessment form above.