IT/IS Security - Practical Risk Assessment for IT systems

Risk assessment is an important part of IT security. It does not need to be a big, complicated thing, though obviously, larger, more complex projects benefit from a more structured approach.

This is not a formal view of risk assessment but rather a practical view of it from someone on the ground.

Risk assessment involves a number of steps:

• Assess Risks
• Classify Systems
  As None-Critical, Critical, Mission Critical and so on
• Decide Methods to Mitigate the Risks
• Decide on Owners for Mitigation Actions
• Implement and Check Actions

Other points to bear in mind:

• Do make sure that audits are taken to ensure that risks have been identified and that appropriate actions are actually taking place
• Do make sure that risk & action owners are the managers who stand to directly loose from lost/corrupted/stolen information
• Do link bonuses to security and risk targets
  Which also means that you need to measure progress
• Do use external specialists when you need to, don't assume that you have the right skills in house
• Do remember that neither risk assessment nor security in general is a "one off" excercise
• Don't install systems until you have assessed the risks and decided how to manage them
• Don't add trusts between systems (especially networks) unless it has been demonstrated that it is absolutely necessary
• Don't assume that a shiny new system is secure
• Focus budget cuts on lower risk systems