Phase one: Assess. Vulnerabilities assessment. Take a look at the network, systems, data, and processes and understand where are some weaknesses that need to be addressed. In this phase organization needs to identify the assets (Physical and logical assets, data center, desktops, network devices, …show more content…
Risk management is the process of identifying the risk, represented in vulnerabilities and threats, to an organization’s information assets, and taking necessary steps in order to reduce the risk to an acceptable level. Risk is the possibility that something bad will happen to the organization’s information asset. To be more specific, risk is the likelihood of the vulnerability to be exploited multiplied by the value of the asset, after security controls were applied to mitigate it. Vulnerability is the weakness that allows exploitation in order to harm organization’s information asset. Threat is anything with potential to harm the organization’s information asset. One of the critical success factors to an information security program is having an Information Risk Management Policy. IRM policy is a map of business objectives to security, management’s support, security goals, and …show more content…
Identifying assets for review is done by the managers of the environment under review. They will also work wit the security project manager. Asset identification and values related to it is the crucial to the business. In this part assets need to be identified especially one critical for the business operations. Assets can be physical or logical like datacenters, desktops, remote systems, network devices, systems that process, manage, and store personal information. This is done by documentation review, interviews with business managers, and technical experts. Evaluate importance of the assets – After assets are identified, certain value needs to be assign to them in terms of how much business impact those assets have. After the value is determined, data needs to be classified by importance, which would further impact risk reduction plan. Further Vulnerabilities need to be identified. This is done by vulnerability scanners, penetration testing, and checklists. After vulnerabilities are identified, we should proceed and identify threats that can harm or affect critical operations and assets. The next step is to develop a Risk Profile which lets us analyze and rank risks according to their impact to the environment. Lastly, risk reduction plan needs to be developed. Here we need to evaluate existing