IT Risk Assessment

Aligning security risk with business objectives

The knowledge gained through an IT risk assessment helps guide an organization in making rational decisions to improve security posture and align risk with acceptable tolerance levels.

Assessing Risk

Understanding Security Risk

  • Asset = valued resource
  • Vulnerability = exploitable weakness
  • Threat = attacker of vulnerability
Risk = Asset x Vulnerability x Threat

Security Roles in Business

Roles & Responsibilities

  • IT Manager - Understand and present security risks
  • CIO - Quantify risks
  • Executive Suite - Determine organization's acceptable risk level and manage resources accordingly

Effective Security Risk Management

By understanding information security risk and the impact it may have on an organization, Pratum’s security consultants set the foundation for a formalized IT risk management program. Risk management is the ongoing process of identifying, assessing and responding to risk. As the first step in the security cycle of risk management, a risk assessment provides insight into the effectiveness of a security program and acts as a baseline for subsequent policy and control decisions.

Effective risk management security cycle. Risk Assessment - Policy Development - Control Selection - Control Implementation - Control Audit

Reasons for IT Risk Assessment

IT risk assessments assist organizations in making educated security decisions. Understanding one’s risk will help prevent arbitrary action. The entire process is designed to help IT departments find and evaluate risk while aligning with business objectives.

  • Identify asset vulnerabilities
  • Gather threat and vulnerability information
  • Identify internal and external threats
  • Identify potential business impacts and likelihoods
  • Determine risk
  • Identify and prioritize risk responses

Beyond baselining an organization’s security posture, information security risk assessments are also the first requirement outlined in federal regulations such as Sarbanes-Oxley Act (SOX), Gramm-Leach Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA). The Payment Card Industry – Data Security Standards also require merchants of all sizes to perform due diligence in assessing risk in their technology operations.

Understanding The Process

Step 1: Prepare for IT Risk Assessment

In order to perform an effective IT risk assessment we must first identify the purpose of the risk assessment in terms of the information that the assessment is intended to produce and the decisions it is intended to support.

Preparing for Risk Assessment

Step 2: Conduct the IT Risk Assessment

The second step in the IT risk assessment process is to conduct the assessment. The objective of this step is to produce a list of information security risks that can be prioritized by risk level and used to inform risk response decisions. To accomplish this objective, organizations analyze threats and vulnerabilities, impacts and likelihood, and the uncertainty associated with the risk assessment process.

Identify Threat Sources

Identify and characterize threat sources of concern, including capability, intent and targeting characteristics for adversarial threats and range of effects for non-adversarial threats.

Identify Threat Events

Identify potential threat events, relevance of the events and the threat sources that could initiate the events.

Identify Vulnerabilities and Predisposing Conditions

Identify vulnerabilities and predisposing conditions that affect the likelihood that the threat events of concern result in adverse impacts.

Determine Likelihood

Determine the likelihood that threat events of concern result in adverse impacts, considering: (i) the characteristics of the threat sources that could initiate the events; (ii) the vulnerabilities/predisposing conditions identified; and (iii) the organizational susceptibility reflecting the safeguards/countermeasures planned or implemented to impede such events.

Determine Impact

Determine the adverse impacts from threat events of concern considering: (i) the characteristics of the threat sources that could initiate the events; (ii) the vulnerabilities/predisposing conditions identified; and (iii) the susceptibility reflecting the safeguards/countermeasures planned or implemented to impede such events.

Determine Risk

Determine the risk to the organization from threat events of concern considering: (i) the impact that would result from the events; and (ii) the likelihood of the events occurring.


Step 3: Communicating and Sharing IT Risk Assessment Information

The third step in the IT risk assessment process is to communicate the assessment results and share risk-related information. The objective of this step is to ensure that decision makers across the organization have the appropriate risk-related information needed to inform and guide risk decisions.

Risk Assessment Report

Maintaining Risk Assessment

Step 4: Maintaining the IT Risk Assessment

The fourth step in the IT risk assessment process is to maintain the assessment. The results of risk assessments help make informed risk management decisions and guide risk responses.