cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tanveer
Newcomer I

Risk Assessment

Hi,

i have recently tasked to perform risk assessment of our organization data centre, pls help me how and where to start the process.

Thanks

14 Replies
Steve-Wilme
Advocate II

There are a number of InfoSec risk assessment methods, but looking at something like ISO 27005 would be a reasonable place to start.  It's easy to get lost in the techniques involved in each method, which is why I'd suggest sticking with something simple.  

 

It'd also be worth examining how you'd fit your risk assessment process in with any other risk management methods in use within your organisation.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
tanveer
Newcomer I


@Steve-Wilme wrote:

There are a number of InfoSec risk assessment methods, but looking at something like ISO 27005 would be a reasonable place to start.  It's easy to get lost in the techniques involved in each method, which is why I'd suggest sticking with something simple.  

 

It'd also be worth examining how you'd fit your risk assessment process in with any other risk management methods in use within your organisation.

 



i am in process of building risk register below are the fields. pls suggest is it oK to start with.

 

risk idrisk descriptionrisk ownerrisk causelikehood impactimpact typeInherit risk ratingResidual Riskrecommended mitigationtreatement ownertreatment date
R1data ceter may go down and availablity can be impactedDGITHigh surge from GridModerateVERY HIGHfinancial  SURGE ARRESTOR SHOULD BE INSTALLEDMANAGER NEWORK 
R2Authorize staff is unable to manage card access, change authorization levels or verify card holder identity and they can not use any web-based applications. Access control doors and video cameras may lose their connection to the system during a server failure.DGITAccess Control Server FailureLOWHigh   cluster software installed on multiple server  
Steve-Wilme
Advocate II

Fields you'll probably need to capture, but not all will be populated for all risks, given some result from human agency and some for natural causes

 

Unique Id - unique id for the risk

Data Identified - when was the risk first identified

Threat Source - the source of a threat may be different from the specific actor involved e.g. organised crime

Threat Actor - the actor who causes a threat may be different from the source e.g. malware author hired to target particular firm by organised crime

Threat Description - a description of what the threat is e.g. theft of mobile assets

Inherent Likelihood - description of probability

Inherent Impact Description - stakes that what of impacts

Inherent Impact - states the aggregate cost if the risk is realised

Generic treatment option - avoid, transfer/share, reduce or accept

Current controls - the controls that are currently in place that affect likelihood or impact.  Also record the type of control i.e. deter, prevent, detect, response, recovery

Cost of current controls - capture the costs associated with operating the controls

Current Likelihood - in recognition that there will be controls in place

Current Impact - in recognition that there will be controls in place

Target Likelihood - this will relate to if the current level is still above risk appetite

Target Impact - in recognition that there will be controls in place

Treatment plan - actions required to get to target level

Risk Owner - who if the organisation at senior level owns the risk.  

Risk Manager - who is implementing the current treatment plan

 

You may also want to consider how the risks can be structured to avoid duplicates/overlaps.

 

 

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
tanveer
Newcomer I

Thanks 

CraginS
Defender I


@tanveer wrote:

Hi,

i have recently tasked to perform risk assessment of our organization data centre, pls help me how and where to start the process.

Thanks


Tanveer, 

Please tells what research you have done on the topic of risk assessment, particularly what resources (books, standards, journals, etc.) you have identified as possible guides. With that information,  the members here will be able to give you pros and cons on different frameworks and processes you might be able to use. One framework already identified for you is ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirement... but there are others that may also be helpful. I suggest you investigate is NIST Special Publication (SP) 800-30 Rev. 1
Guide for Conducting Risk Assessments, and SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle .... SP 800-30 and 800-37, like all NIST publications, are free. 

 

You will have to invest some money for some of the resources, and time in studying them. Although a few ISO/IEC standards are free, many are not.

 

Good luck!

 

Craig

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
csjohnng
Community Champion

@tanveer 

Like the other said, there are frameworks to build.  like NIST 800-37 RMF, or you can use COBIT 5.

Starting from asset identification, identify key business process, threat modelling and estimating the likelihood and impact, then building risk scenarios and finally those risk scenarios will go to the risk register. 

COBIT 5 is from ISACA but if you google COBIT 5 risk scenarios and COBIT 5 risk register, there are many samples on the internet

 

 

 

John
tanveer
Newcomer I

should i start to identify asset or identify risk i.e asset based risk assessment or risk based risk assessment, 

view the fields which i mentioned in above reply. 

Caute_cautim
Community Champion

@tanveer   The normal process is to actually identify the assets, categorise it - remembering many assets can actually be either tangible i,e. physical or intangible i.e. they can be information or data.  Plus see if you can also identify whether the particular assets have an owner or someone who is responsible for them too.  It would also be useful to put down where they are located and any other general observations such are they protected physically and by what etc.

 

This all helps you build up a picture of what, where, how information about the assets themselves.

 

Regards

 

Caute_cautim

CraginS
Defender I


@tanveer wrote:

should i start to identify asset or identify risk i.e asset based risk assessment or risk based risk assessment, 

view the fields which i mentioned in above reply. 


Tanveer,

I fear you are asking for more hand-holding and detailed instruction in the arena of risk management and risk assessment than is appropriate or possible for even wise old (and highly opinionated) folks on this forum .I suggest it is time for you to go read (at least skim for overall familiarity) ISO/IEC 27001, NIST SP 800-30,ISACA COBIT, and the Center for Internet Security (CIS) Top 20 Controls, then come back here when you have specific question based on your knowledge of those important references. 

 

Knowledge of all of those resources is very important grounding for every CISSP, no matter which domain(s) we operate in.

 

Based on the nature of your own organization, you will have to decide, with internal consultation, which framework to follow and how deep to pursue the assessment details. You can go for two page quick and dirty or large team big book, or anywhere in between.

 

Good luck!

 

 

Craig

 

p.s. I see your CISSP badge here on the forum is brand new (2/10/2020). I realize that could be the date you joined the forum, but if that is recently earned, congratulations!

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts