Risk analysis is pretty much a key component. So, risk analysis is a way to make sure that data is consistent and based on evidence. This has to be confirmed at each step and agreed to by all the people who have a stake in it. All of the data needs to be kept, kept an eye on for changes, and measured against a consistent framework that is being chosen so that the results are consistent at the end.
- So, starting with the Asset Register is the best way to figure out what the parts are. And this should list all the assets we have in the ecosystem and the whole IT infrastructure, so we know how the business is put together and how much it’s worth. The person doing the review should make sure they have a list of valid threat assessments for the assets in that infrastructure that are up to date and came from a good source of threat assessment providers.
- We should also look at how vulnerable the assets are and how open they are to threats. This can be done by measuring and scanning the systems to see how they are built.
- We can also see how the system was built and what it is exposed to by looking at the infrastructure. Next, all of the people who have a stake in this system should be talked to and agree on what the impact values will be if this system fails in different situations.
- Lastly, all of the parts should be written down and updated whenever anything changes. Once we have these, we can start the risk assessment process.
The following components are included in the Risk Analysis:
Assets – Risks are based on quantifying the impact of a threat event on a particular asset. Assets are the core infrastructure components that enable the business to operate, consisting of people, technology or ICT, information, and the physical environment. These are all related and dependent on each other. The risk assessment must consider these relationships as part of the process. For example, failure in the physical environment will impact the ICT systems and the data or information held on those systems.
Threats – are something like a malware attack that will mess up the computer and network systems and make them impossible to use or an outside hacker who gets into the system and steals data or takes over. The truth is that many threats aren’t very dangerous, but they can still have the same effect. For example, if the power goes out or a piece of hardware breaks, the system will be inaccessible or completely messed up. If the user doesn’t understand, data could be changed, deleted, or sent to a place where it won’t be safe. An operating centre can be destroyed by bad weather, tsunamis, or earthquakes. Equipment can be destroyed by a fire or an internal flood. A lot of these problems are caused by bad design or a lack of clarity about the process. Doing a high-level threat assessment early on in the life of a system will help make sure these problems are fixed before they are used or become real.
- Vulnerabilities – are weaknesses in the system (technology, people and process) that may be exploited to cause harm.
- Impact – Impact on the business is the main reason why controls are chosen and the executives are made sure to fully understand the results of their decisions. This lets the enterprise risk assessment programme compare the different parts of an organization’s risk profile based on the same criteria, which are usually financial. All effects of risk can be measured in terms of how much money they cost the business. Actuaries have built a whole business around this idea. So, even though you might think a failure in the cyberinfrastructure will have a big effect, it might not be that bad compared to other business functions and risks.