Hi,
i have recently tasked to perform risk assessment of our organization data centre, pls help me how and where to start the process.
Thanks
There are a number of InfoSec risk assessment methods, but looking at something like ISO 27005 would be a reasonable place to start. It's easy to get lost in the techniques involved in each method, which is why I'd suggest sticking with something simple.
It'd also be worth examining how you'd fit your risk assessment process in with any other risk management methods in use within your organisation.
@Steve-Wilme wrote:There are a number of InfoSec risk assessment methods, but looking at something like ISO 27005 would be a reasonable place to start. It's easy to get lost in the techniques involved in each method, which is why I'd suggest sticking with something simple.
It'd also be worth examining how you'd fit your risk assessment process in with any other risk management methods in use within your organisation.
i am in process of building risk register below are the fields. pls suggest is it oK to start with.
risk id | risk description | risk owner | risk cause | likehood | impact | impact type | Inherit risk rating | Residual Risk | recommended mitigation | treatement owner | treatment date |
R1 | data ceter may go down and availablity can be impacted | DGIT | High surge from Grid | Moderate | VERY HIGH | financial | SURGE ARRESTOR SHOULD BE INSTALLED | MANAGER NEWORK | |||
R2 | Authorize staff is unable to manage card access, change authorization levels or verify card holder identity and they can not use any web-based applications. Access control doors and video cameras may lose their connection to the system during a server failure. | DGIT | Access Control Server Failure | LOW | High | cluster software installed on multiple server |
Fields you'll probably need to capture, but not all will be populated for all risks, given some result from human agency and some for natural causes
Unique Id - unique id for the risk
Data Identified - when was the risk first identified
Threat Source - the source of a threat may be different from the specific actor involved e.g. organised crime
Threat Actor - the actor who causes a threat may be different from the source e.g. malware author hired to target particular firm by organised crime
Threat Description - a description of what the threat is e.g. theft of mobile assets
Inherent Likelihood - description of probability
Inherent Impact Description - stakes that what of impacts
Inherent Impact - states the aggregate cost if the risk is realised
Generic treatment option - avoid, transfer/share, reduce or accept
Current controls - the controls that are currently in place that affect likelihood or impact. Also record the type of control i.e. deter, prevent, detect, response, recovery
Cost of current controls - capture the costs associated with operating the controls
Current Likelihood - in recognition that there will be controls in place
Current Impact - in recognition that there will be controls in place
Target Likelihood - this will relate to if the current level is still above risk appetite
Target Impact - in recognition that there will be controls in place
Treatment plan - actions required to get to target level
Risk Owner - who if the organisation at senior level owns the risk.
Risk Manager - who is implementing the current treatment plan
You may also want to consider how the risks can be structured to avoid duplicates/overlaps.
Thanks
@tanveer wrote:Hi,
i have recently tasked to perform risk assessment of our organization data centre, pls help me how and where to start the process.
Thanks
Tanveer,
Please tells what research you have done on the topic of risk assessment, particularly what resources (books, standards, journals, etc.) you have identified as possible guides. With that information, the members here will be able to give you pros and cons on different frameworks and processes you might be able to use. One framework already identified for you is ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirement... but there are others that may also be helpful. I suggest you investigate is NIST Special Publication (SP) 800-30 Rev. 1
Guide for Conducting Risk Assessments, and SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle .... SP 800-30 and 800-37, like all NIST publications, are free.
You will have to invest some money for some of the resources, and time in studying them. Although a few ISO/IEC standards are free, many are not.
Good luck!
Craig
Like the other said, there are frameworks to build. like NIST 800-37 RMF, or you can use COBIT 5.
Starting from asset identification, identify key business process, threat modelling and estimating the likelihood and impact, then building risk scenarios and finally those risk scenarios will go to the risk register.
COBIT 5 is from ISACA but if you google COBIT 5 risk scenarios and COBIT 5 risk register, there are many samples on the internet
should i start to identify asset or identify risk i.e asset based risk assessment or risk based risk assessment,
view the fields which i mentioned in above reply.
@tanveer The normal process is to actually identify the assets, categorise it - remembering many assets can actually be either tangible i,e. physical or intangible i.e. they can be information or data. Plus see if you can also identify whether the particular assets have an owner or someone who is responsible for them too. It would also be useful to put down where they are located and any other general observations such are they protected physically and by what etc.
This all helps you build up a picture of what, where, how information about the assets themselves.
Regards
Caute_cautim
@tanveer wrote:should i start to identify asset or identify risk i.e asset based risk assessment or risk based risk assessment,
view the fields which i mentioned in above reply.
Tanveer,
I fear you are asking for more hand-holding and detailed instruction in the arena of risk management and risk assessment than is appropriate or possible for even wise old (and highly opinionated) folks on this forum .I suggest it is time for you to go read (at least skim for overall familiarity) ISO/IEC 27001, NIST SP 800-30,ISACA COBIT, and the Center for Internet Security (CIS) Top 20 Controls, then come back here when you have specific question based on your knowledge of those important references.
Knowledge of all of those resources is very important grounding for every CISSP, no matter which domain(s) we operate in.
Based on the nature of your own organization, you will have to decide, with internal consultation, which framework to follow and how deep to pursue the assessment details. You can go for two page quick and dirty or large team big book, or anywhere in between.
Good luck!
Craig
p.s. I see your CISSP badge here on the forum is brand new (2/10/2020). I realize that could be the date you joined the forum, but if that is recently earned, congratulations!