Conducting Risk Assessment

Conducting Risk Assessment

Risk Assessment is part of Risk Management Process. The purpose of Risk Assessment is to identify threats, internal and external vulnerabilities, potential loss and probability of loss, the end result being determination of risk. Under Risk Assessment, risk is determined based on adverse effects due to the event and likelihood of occurrence. Risk Assessment is employed at organization level, mission/business process level, and information system level.

NIST Special Publication 800-30 Revision 1 suggests Risk Assessment as an ongoing activity throughout the system development life cycle and closely interacting with components of Risk Management. Risk Assessment Process (under Risk Management Process) includes preparation, conducting assessment, communicate results and maintain the assessment. Maintaining the assessment and communication may trigger steps to conduct assessment repeatedly. The second step of Risk Assessment – conducting assessment may be further understood going through activities involved in this step:

Identify Threat Sources

Threat Sources are identified at every level - organization level, mission/business process level, and information system level. And they are identified based on taxonomy – adversarial (adversary capability, intent and targeting / non adversarial), accidental, structural and environmental.

Identify Threat Events

The purpose of this activity is to identify potential threat events, relevance of the events, and the threat sources that could initiate the events.

Identify Vulnerabilities and Predisposing Conditions

The purpose of this activity is to identify vulnerabilities and predisposing conditions that affect the likelihood that threat events of concern result in adverse impacts. As in case of identification of threat sources, these are also identified and categorized based on different levels & taxonomies and tagged for severity – quantitative/ qualitative.

Determine Likelihood of Occurrence

In this activity, based on threat source, vulnerability and implemented safeguards, likelihood of occurrence is formulated and determined. Without diligent efforts in previous activities and proper knowledge and documentation of safeguards/ controls in place, this activity may give false results.

Determine Magnitude of Impact

Purpose of this step is to determine impact based on first three activities and maximum worth of affected entity in terms of value of loss / unavailability.

Determine Risk

Purpose of this step is to determine risk based on impact and likelihood determined previously. 

Can a risk mitigation create value to an organization based on the COBIT framework?
Risk is not something tangible, but can be minimized with help of CobiT framework. Risk minimization makes sure, risk doesn't exceed risk appetite of the organization, thereby helping organization to survive and grow, based on CobiT framework. With help of CobiT, risk may be tied to business strategy, thereby helping make better informed decisions within risk tolerance by risk mitigation. Further, even though CobiT may not help much define risk analysis methods, but it helps establish a link b/w risk scenario and appropriate response via enablers(controls), also how to manage risk ( Risk function and Risk Management).

References

United States. Joint Task Force Transformation Initiative, & National Institute of Standards Technology. (2012). Guide for conducting risk assessments (Revision 1.. ed., NIST special publication ; 800-30). Gaithersburg, MD: U.S. Dept. of Commerce, National Institute of Standards and Technology. doi:10.6028/NIST.SP.800-30r1