The Purpose of a Risk Assessment, Essay Example

The purpose of a risk assessment is to determine the most serious risks that can potentially compromise a network’s security (Gibson, 2011). Risk assessment is useful because it provides a rational with which information technology professionals can prioritize risks for mitigation. A risk assessment occurs at a single point in time and therefore provides information concerning vulnerabilities only for a cross-section of the network’s history. A risk assessment scope is the range of parameters that are inspected during this process. For example, it is possible for the assessment to solely focus on the web server, or it can be focused to search the internal network and other components as well.

The critical areas for assessment can include the web server, database server, internal firewall, and the external firewall. Each of these components contain subcomponents that should be examined as a regular part of the assessment. For example, the hardware, operating system, and web site application should be assessed to determine the potential risks that are present for the web server. Single points of failure should be considered because a variety of failures can impact the ability of the website to run properly. Risk assessments of database servers should include only the databases accessed by the web server through the firewall. SQL injection attacks are frequent and should therefore be considered. Lastly, the internal firewall should be examined for all traffic between the web server and database server.

The risk assessment methodology I selected is quantitative. It is advantageous because it is an objective rather than subjective method. While collecting quantitative data for a risk assessment is time consuming, it is easier to understand data trends once this information is compiled. It is an advantageous method because even though a lot of data is available, it can be easily made understandable by applying mathematical formulas. This information can also be used to determine the impacts of controls.

The values that can be calculated from quantitative risk assessments typically include single loss expectancy (SLE), annual rate of occurrence (ARO), annual loss expectancy (ALE), and the safeguard value. The SLE is the total loss that is expected from an individual compromised security event. It is represented in dollars and defines the amount of loss in terms of the value of hardware, software, and data. The ARO is the number of times that a compromised security event is expected to happen within a year. This value is a prediction based on the number of events that have occurred in the past year. The ALE is the loss that is expected to occur over a year’s time. This is calculated by multiplying the SLE and the ARO. Lastly, the safeguard value is the cost that it requires to implement controls. These are used to mitigate risk and a common example of a safeguard is antivirus software.

One of the major limitations associated with quantitative risk analysis is that accurate data cannot always be retrieved. Furthermore, it is impossible to ensure that the safeguard will be used as anticipated. Even though a safeguard can be purchased for a specific purpose, it is possible that it will not be effective or it may just not be used. Lastly, it may be necessary to implement training policies that allow employees to understand the importance of the control and to act accordingly in protecting their work information.

References

Gibson D. (2011). Managing Risk In Information Systems, Chapter 5. Jones & Bartlett Learning.

Gibson D. (2011). Managing Risk In Information Systems, Chapter 6. Jones & Bartlett Learning.