eHow launches Android app: Get the best of eHow on the go.

Search
Now in the UK!
  1. Home »
  2. Business »
  3. Business Management »
  4. Other Business Management »
  5. How to conduct a Risk Assessment
More Articles Like This
More by This Author
How To

How to conduct a Risk Assessment

Member
By Jesse Valentin - CISSP
User-Submitted Article
(0 Ratings)

The following information will serve as a basis for individuals seeking to understand the overall process of risk assessment and act as a reference for any organization that is trying to develop a strategy to address this need as part of an ongoing security management program.

Difficulty: Moderate
Instructions
  1. Step 1

    UNDERSTAND YOUR GOALS

    Before actually conducting a risk assessment it is absolutely necessary to understand the goals of your undertaking. What is the end result to which you are working? This can be anything from compliance with government mandated policies to ensuring that physical security is up to snuff in a particular environment. Each of these goals will require a certain approach so it is very important to clearly identify the goal(s) of your assessment.

    (For the purposes of this article the goal on which I will focus is compliance with government mandated policies).

  2. Step 2

    UNDERSTAND THE VALUE

    The next area that needs to be identified before actually beginning the assessment is to clearly understand the value assigned to the asset which is being protected. This asset can take the form of intellectual property (sensitive data), a tangible object or a location restricted to specific access. The identification of this value is essential to discovering any threat during the assessment process as it will act as a point of comparison when determining safeguards. This will be discussed in more detail further in the article.

  3. Step 3

    UNDERSTAND THE BUSINESS

    Once the goal and asset valuation has been accomplished, the next step is to understand the type of business or entity you are assessing. In which industry does your client or organization do business? Are you assessing a financial institution? Healthcare? Government? Non-Profit Organization?

    When you have identified the type of organization you are assessing – you should now identify the individual core components that make up this organization. For example, if you are assessing a Healthcare entity – then some core components or departments might be areas like: Patient Billing, Laboratory Services, Administration, Medical Records, Human Resources, etc. (To gather a more in depth list, it will be beneficial to interview an administrative contact in the organization that can assist you with identifying core areas and their respective department heads. A company organization chart can also be very useful in identifying important areas).

    It is useful to interview said department heads to break down their respective areas to their daily functions. This will permit you as the assessor to fully understand how a specific area of the hospital may interact with sensitive data, how that information is used and disseminated and what safeguards are in place to protect this information during its daily flow.

    You may come to find that a department like Human Resources (HR) collects large portions of personal information from candidates and current employees and may even use multiple ancillary systems to store and process this information in a central location. During your assessment process you may discover that HR has a need to transfer this information to external third parties to conduct background screenings, credit checks, etc. The transferring of this information may occur through the use of external systems like third party web applications, etc.

    Understanding the manner in which information is used will allow you to understand how the business generates revenue and get a better sense of which areas are indeed critical. To assess the security of the existing controls in each core department and start to identify deficiencies - we are brought to the next step which is the proper structuring of your assessment.

  4. Step 4

    STRUCTURE YOUR ASSESSMENT

    What exactly does this mean? To illustrate – when you visit the mechanic for an inspection of your car, the mechanic has a structure that might be called a 70 point inspection. This means that they will be checking your tires, fluid levels, emission controls, etc. This shows that the inspection or assessment of your car has a defined structure that is used to assess your car completely. This allows the identification of any problem areas. The benefit is that this structure can then be applied to any car with minor modifications depending on the vehicle type.

    How do we apply this logic to a risk assessment? What structure can we use? One suggestion is to use the ISO17799/27001 standard which covers areas such as:

    • Security Policies – This section covers items such as organization policies and procedures.
    • Security Organization – Items such as an Information Security program, third party access and outsourcing is addressed.
    • Asset Classification and Control – This addresses accountability for tangible assets such as hardware, intellectual property, etc.
    • Personnel Security – This section addresses HR related functions like background screens and responding to incidents.
    • Physical Security – Environment security and secure office areas are covered in this section.
    • Access Control – Procedures to control access to sensitive information or locations are addressed.

    This list is just a snippet of what can become your Information Security “70 Point Inspection” or assessment approach. Once you have created the structure of our assessment – this formula can then be applied to any organization (barring minor modifications) since these areas affect all types of entities.

  5. Step 5

    IDENTIFY THE POLICIES THAT APPLY TO YOUR BUSINESS

    Understanding how your organization conducts business will allow you to identify pertinent policies or government mandates specific to your industry. Depending on the policy and business model of your organization – minor modifications to your structure may be necessary. For example, a small business that sells sea shells will have very different physical security requirements than a hospital. During your assessment you will have to modify the areas that may not apply or that need to be changed to address your client’s manner of conducting business.

    Here is one very simple example - HIPAA requires that patient information be protected by a certain set of controls such as encryption. When executing the assessment you should be very interested to find out if the organization’s Security Policies specify that encryption must be used. If they do not, then this may be a potential finding.

    Here is another example – since HIPAA specifies that patient data be protected, when conducting the assessment you should also be very interested to ascertain that the client’s Security Organization makes provisions, if needed, for secure Third Party Access and that access to sensitive information is handled in a way that adheres to HIPAA guidelines.

  6. Step 6

    BUILDING YOUR ASSESSMENT REPORT

    In conclusion, once you’ve identified the core components and related policies that apply to this organization you can now organize your assessment report into neat sections that will provide a summary of findings for each core area. This will allow you to document and explain your findings in a logical and coherent manner.

    Jesse Valentin, CISSP is an Independent Security Consultant with SECURASYS, LLC. (www.securasys.net).

Subscribe

Post a Comment

Post a Comment

Related Ads

  • See How Others Did It
  • Have you done this? Click here to let us know.
I Did This
Tags
Get Free Business Newsletters

Copyright © 1999-2009 eHow, Inc. Use of this web site constitutes acceptance of the eHow Terms of Use and Privacy Policy .   en-US Portions of this page are modifications based on work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. † requires javascript

Partner Sites
eHow Business
eHow_eHow Business and Finance