Saturday, October 6, 2012


IT-RISK IDENTIFICATION COMPONENTS


The purpose of this step is to identify the risks to the IT system. Risks occur in IT systems when vulnerabilities (i.e., flaws or weaknesses) in the IT system or its environment can be exploited by threats (i.e. human or environmental factors).

The process of risk identification consists of three components:

1. Identification of vulnerabilities in the IT system and its environment
2. Identification of credible threats that could affect the IT system
3. Pairing of vulnerabilities with credible threats to identify risks to which the IT system is exposed.

1. Identification of Vulnerabilities

The first component of risk identification is to identify vulnerabilities in the IT system and its environment.

There are many methodologies or frameworks for determining IT system vulnerabilities. The methodology should be selected based on the phase of the IT system is in its life cycle. For an IT system:

· Initiation Phase: IT security policies, planned procedures and IT system requirements definition, and the vendor’s security product analyses.

· Definition Phase: Identification of the effectiveness of the planned IT security features described in the security and system design documentation.

· Implementation Phase: The identification of vulnerabilities should also include an analysis of the security features and the technical and procedural security controls used to protect the system. These evaluations include activities such as executing a security self assessment, the effective application of automated vulnerability scanning and assessment tools and conducting a third party penetration test. Often, a mixture of these and other methods is used to get a more comprehensive list of vulnerabilities.

2. Identification of Credible Threats

The purpose of this component of risk identification is to identify the credible threats to the IT system and its environment. A threat is credible if it has the potential to exploit an identified vulnerability. The goal is to identify all credible threats to the IT system.

Credible Threats Identification fields

Computer Crime
Unauthorized Access or Use
Malicious Use
Cyber Terrorism 
Power Loss
Communication Failure
Hardware Failure
Human Error
Air Conditioning Failure

3. Identification of Risks

The final component of risk identification is to pair identified vulnerabilities with credible threats that could exploit them and expose the following to significant risk

· IT system
· The data it handles
· The organization

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)