Sistema de blogs Diarium
Universidad de Salamanca
Pablo Gallardo's Blog
My professional web log about IT, Cybersecurity & Project Management
 

How to perform an IT Risk Assessment

This post tries to make an overview about how to perform a risk assessment of information technology (IT) assets.

Steps to perform an IT risk assessment

The summary of steps to be done are:

  1. Define scope
  2. Select a risk assessment methodology
  3. Identify asset types
  4. Identify threats
  5. Identify vulnerabilities
  6. List controls
  7. Assign controls to threats
  8. Identify main assets
  9. Identify derived assets
  10. Determine likelihood that an incident occur
  11. Assess the impact of an incident
  12. Calculate likelihood and impact after applying controls
  13. Set risk threshold
  14. Prioritize risks
  15. Set an action plan
  16. Review the results of the action plan

1. Define scope

Define scope.

2. Select a risk assessment methodology

You can find a list of assessment methodologies on this post.

3. List asset types

Make a catalog of possible asset type classification.

4. List threats

Make a catalog of possible threats.

5. List vulnerabilities

Make a catalog of possible vulnerabilities.

6. List controls

You can find some references that have already listed controls, so you can reuse them.

One reference is ISO 27002.

Since ISO 27002:2022, each control is linked to the NIST Cybersecurity Framework Core functions (Identify, Protect, Detect, Respond, and Recover). This assignment is also available in the table “Framework Core” of the document “Framework for Improving Critical Infrastructure Cybersecurity” by NIST.

7. Assign controls to threats

Assign controls to the threats where they are relevant.

7b. Assign threats to asset types

Also assign threats to asset types.

Until this steps all of them were generic and can be reused from one risk to another. From now on, they will be unique for each risk assessment.

8. Identify main assets

Identify the main assets under scope.

9. Identify derived assets

Identify the assets that are related to the main assets, and that should be taken into account to assess risk.

9. Assign threats to assets

As each asset has an asset type, you can assign a set of threats to each existing asset.

10. Determine likelihood that an incident occur

Set a value to the likelihood that an incident provoked by a threat occur.

11. Assess the impact

Assess the impact of the incident provoked by a thread happening.

12. Calculate likelihood and impact after applying controls

Repeat the two previous steps taking into account already applied controls.

13. Set risk threshold

Determine what is the risk threshold that you need.

14. Prioritize risks

As resources are limited, you cannot make.

Make an action plan of actions to be taken, and a date.

15. Review the results of the action plan

Review the results of the action plan based on the assigned dates.

Risk analysis should be repeated periodically.

pmgallardo

About pmgallardo

I studied Computer Science at University of Salamanca. Since then, I have been working first as developer and then as SAP consutant. This blog is about problems I dealt when using computers, and more important, the solutions I found. Whenever I am on an issue and suddenlly I have a flash that leads me to a solution, I document my discoveries in a post.

, , , , , , , ,

No comments yet.

Leave a Reply


*

Política de privacidad
Studii Salmantini. Campus de excelencia internacional