RISK ASSESSMENT
THREAT ASSESSMENT
Do you know what cyber security threats your business faces? It may come as a surprise, but threats aren’t always universal. Specific threats can affect specific businesses and specific IT systems.
Environmental threats
These threats include temperature, humidity, water leaks, intrusion, human error, vibration, and power outages. The environment can damage equipment, slow performance, and force hardware to shut down.
I. Temperature:Temperature is the main environmental threat to computer hardware. The generally accepted, ideal temperature is between 68 and 74 degrees Fahrenheit (20 to 24 degrees Celsius). Excessive heat degrades network performance and causes downtime, also damage equipment,
ii. Humidity: When the temperature is between 68 and 74 degrees Fahrenheit (20 to 24 degrees Celsius), the relative humidity (i.e., the amount of water in the air) should be between 40% and 50%.
iii. Human Error: personnel can unknowingly create environment problems by Adjusting the heat or air conditioning while working, Installing new equipment, unaware that it creates more heat,
iv. Tornado/earthquakes: While homes are insured and can be repaired or rebuilt, tornado and earthquakes damage to a data center destroys more than just the facility itself.
MAN MADE THREATS
Man-made threats can come from inside the organization or from outside the organization.
The internal threats are threats that originate from within the targeted organisation. This doesn’t mean that the actor must be a current employee or officer in the organization. They could be a consultant, former employee, business partner, or board member.
Companies are also vulnerable to external threats or forces from outside the organization. The proliferation of the Internet and electronic media has presented a whole new set of external threats to organizations. They use methods such as phishing, social engineering, DOS attacks, e.t.c. Threats coming from outside the company always entail ill intent. They are performed for the purposes of stealing data, disrupting company processes, and damaging the company’s operation.
RISK ASSESSMENT
Quantitative Risk Calculations
SLE(Single Loss Expectancy) : If a single event occurs, there is a particular cost associated with it and you can determine what the SLE is by looking at the risk itself. So if a computer is stolen, the asset value for replacing it is $1000, that is the cost of our SLE.
ALE(Annual Loss Expectancy)
We need to also know how many events may happen in an entire year. If we know that a computer being stolen would cost $1000, and we also know that seven computers could be stolen in a year, we could calculate our ALE by multiplying 1000 * 7.
ARO(Annualised rate of occurrence)
You Can calculate the ARO based on how often in a year you might be hit by a hurricane or any other attack.
EVALUATING RISK
Quantitative Risk Assessment
i.Risk Register: One way of evaluating risk during a project is to create a risk register. Every project has a plan but in each step of the way there would be some type of risk associated with the plan. Once we have identified those risks, we can now create a possible solution that will help us avoid that risk.
ii.Supply Chain Assessment: This is the process used to get a product or a service from the supplier to the final product.
Qualitative Risk assessment: For risks such aS losing a laptop, there is an obvious cost associated with that. But there are other processes in the organization where we are not able to put a quantitative analysis, instead we would want to use a qualitative analysis to determine where the risks may be.
i. Identifying significant risk factors: Identify the factors and then identify the categories of risk associated with those.
ii. Business impact analysis: You need to know what the critical business functions are for your organization and document. Once you know what those are, you will know what the impact of losing them might be.
iii.Testing for risk: It is common to perform penetration tests, vulnerability scans and other tests to be sure that our data is safe.
RISK RESPONSE TECHNIQUES
Risk avoidance : you can avoid a risk when you stop participating in highly risky activities.
Risk transference: One way to transfer the risk is to purchase insurance. This way, instead of accepting all of the risk to ourselves, we have mitigated that with some type of third party insurance.
Acceptance: This is a situation where you can simply accept the risk.
Mitigation: Almost all our computing systems have some types of mitigation built in.
Change Management: we need to follow a formal change management process if there is any type of change on the operating system or any software. A change management process will have very clear policies. The provision of change management will not only provide more uptime and availability but will also decrease the risk for your entire organization.