Hi,
i have recently tasked to perform risk assessment of our organization data centre, pls help me how and where to start the process.
Thanks
The first step is your risk assessment is the asset inventory. Discuss with business owners, services managers to have a first high level view of the assets and proceed further with a business impact analysis of the assets. Once you have this high level view, you can move further to a detailed assessment.
Like I am preparing for CRISC Exam domain 1... or answering the MC..
First thing first is to identify asset which support your enterprise's critical business.
if there is no asset, there is no vulnerability and threat and you won't have any risk.
And then you can have a risk based approach on the risk assesment.
Assets are not limited to tangible ones. There are also intangible assets to be taken into account. Your organization cannot have "no assets".
A risk assessment of an entire data center. You are going to have a busy year my friend! There are so many parts to consider from physical security of the perimeter all the way down to the application themselves. Where do you plan to start? It is a huge undertaking and understanding the business drivers and the "environmental risks' (e.g., natural hazards, and geo-political) is key to cataloging the right risks against your assets. I see lots of sound advice to align to ISO/IEC 27001 and that is good if you are thinking of eventually certifying the location - that helps win business. The ISO/IEC standard "clauses" will also give you requirements that you can audit to when building out your register.
If aiming to certify the organisation or part of its hosting operation it makes sense to adopt an outside in approach to the risk assessment. And by that I mean after clarifying the organisation of security; the senior sponsorship etc, to start with the physical and environmental risks. You can be assessing those and ensuring that there are controls in place without identifying individual systems and owners. Similarly with the personnel security risks/controls. There will be whole categories of risks that are not system specific, so don't get lost down that particular rabbit hole.