RISK ASSESSMENT On IT Infrastructure

Objective:
To develop risk assessment method to safeguard or protect of Information System assets of an organization.

Element that identify and analyze the risk forced by an organization and ways these risks can be managed.
The IS auditor or IS security administrator is responsible for developing risk assessment method.
Risk assessment is the process of identifying vulnerabilities and threats to an organization’s information resources or IT infrastructures in achieving business objectives and deciding what counter measures, if any, to take in reducing the level of countermeasures and deciding which, if any, to take in reducing risk to an appropriate acceptable level, based on the value of the information resource to the organization. A summary of this concept is shown in the equation as follows:

Mathematical Equation:
Total Risk = Threats x Vulnerability x Asset Value

Generally, risk can be transferred, reject, reduced or accepted at high, medium and low level risk, but risk never eliminated.

Existing Risk Assessment:
Developing a Risk Assessment Program:
To develop a risk management and assessment program in the following ways:
A: Establish the purpose and objective of the risk assessment program.
B: Assign responsibilities for the risk assessment plan.
Risk Assessment process (Assets Identification & Classification)

Proposed Risk Assessment Method:
A) Management Level Policy Planning for Assessment:
• Preventive control
• Detective control
• Corrective control

Current Risk Assessment Tools:
Product Company Focus
CRAMM Insight Consulting Ltd. www.insight.co.uk/cramm/ Government, Public Sector
CORA International SecurityTechnology Inc. Telecom, Logistics Government, IT
COBRA C&A Systems Security Ltd. www.security-risk-analysis.com Enterprise
Risk Check Norman Security Solutionswww.norman.com Enterprise
RiskPAC CSCI Inc. www.csciweb.com Business Continuity
RiskWatch Risk Watch, Inc www.riskwatch.com HIPAA, DITSCAP, NIACAP
The Buddy System Alion Science & technology Inc. www.buddysystem.net IT


B) System level assessment:
• Disaster Recovery Plan (DRP):
• Emergency Plan:
• Backup Plan:
• Recovery Plan:
• Test Plan:
• Others:
Ø Insurance
Ø BCP


Benefits:
Minimize the risk factor at minimum level.

Therefore, we can able to safeguard or protect the IS infrastructure/assets (Data, Hardware, Software, Network), from intruder, hacker and external vendor or contractor.

The risk management & assessment method to ensure and achieve protection, data integrity, effectiveness and efficiencies must be designed implement as per requirement of business objective of an organization.