Risk Assessment on Information Systems
The citation is equal to 10% or less. – General information about Risk Assessment. – You can make an example of a risk assessment plan. What the Instructor said is: “Write 2-3 pages on a topic of interest related to course content (hint: this can be used to build content/knowledge for the final project).”
Risk assessment is necessary for any project to reduce negative impacts and malicious attacks. Therefore, risk assessment is the process of identifying hazard, analyzing and evaluating risks related with that hazard, and determining appropriate ways to eradicate or mitigate the hazard. In a workplace, it is crucial to identify those things, processes, situations, et cetera that may consequently cause harm, particularly to the organization or people. After establishing the likely risks, you evaluate how severe the risk is, and then identify what measures should be used to effectively mitigate the occurrence (Kendrick, 2015).
Information and computer systems that most companies employ need to be secure. Agencies methodically identify, investigate and evaluate the information or data security risks connected to an information service or system together with the controls essential to manage them. Secure information and data against cybercrimes and destruction or information loss can only be guaranteed when effective risk assessment is done (Whitman & Mattord, 2011).
Security elements in information systems are vulnerability, threat, risk, and exposure which require safeguard and countermeasure. Vulnerability is a hardware, software or procedural weakness. It provides to an attacker an opportunity to enter into a computer network and access resources without authorization. Moreover, vulnerability means the system lacks or have weak safeguard that can be exploited. An example is an unpatched application, a service established on a server, unrestricted internet dial, an open firewall port and absence of a physical security. On the other hand, threat is any potential danger to data and information. It is a possibility that software or a person would exploit the vulnerability. Risk is the probability that the threat agent takes an advantage of the system vulnerability, consequently impacting the organization. Reduction of vulnerability and threat reduces risk. For example, a firewall with several open ports has a higher probability that an intruder will illegally access the network. Lastly exposure is an instance of being uncovered to losses from a hacker or a threat agent. It exposes a business to possible damage. For instance, if password management and rules are not enforced, the organization is likely to have users’ password to be captured and used in an authorized manner (Whitman & Mattord, 2011).
Risk assessment plan involves establishing a framework in which the entire project team identifies risks in each project development stage, and develops mitigation strategies to avoid those risks. For an information system, the risk assessment plan involves identifying an approach to build the program, either top-down or bottom-up approach (Peltier, 2005). Second, develop risk management matrix which documents risks and consequence, probability of risk occurring, impact to the project should the risk occur, risk prioritization (higher priority items must be mitigated before the lower priority items), and mitigation responses. Finally, establish the security control, often classified into three: administrative controls (screening of people, publishing policies and guideline, and conducting security risks awareness training), logical or technical control (executing and maintaining access control techniques, resource and password management, and infrastructure configuration) and physical controls (controlling access to different department, locking systems, environmental controls, and intrusion monitoring).
References
Kendrick, T. (2015). Identifying and managing project risk: essential tools for failure-proofing your project. AMACOM Div American Mgmt Assn.
Peltier, T. R. (2005). Information security risk analysis. CRC press.
Whitman, M. E., & Mattord, H. J. (2011). Principles of information security. Cengage Learning.
