The objective of a risk assessment is to understand the existing system and environment and identify risks through analysis of the information/data collected. By default, all relevant information should be considered, irrespective of storage format. Several types of information that are often collected include:

• Security requirements and objectives
• System or network architecture and infrastructure, such as a network diagram showing how assets are configured and interconnected.
• Information available to the public or accessible from the organization’s web site
• Physical assets, such as hardware, including those in the data center, network, and communication components and peripherals (e.g., desktop, laptop, PDAs)
• Operating systems, such as PC and server operating systems, and network management systems
• Data repositories, such as database management systems and files
• A listing of all applications
• Network details, such as supported protocols and network services offered
• Security systems in use, such as access control mechanisms, change control, antivirus, spam control and network monitoring
• Security components deployed, such as firewalls and intrusion detection systems
• Processes, such as a business process, computer operation process, network operation process and application operation process
• Identification and authentication mechanisms
• Government laws and regulations pertaining to minimum security control requirements
• Documented or informal policies, procedures and guidelines

 The following are common tasks that should be performed in an enterprise security risk assessment (Please note that these are listed for reference only. The actual tasks performed will depend on each organization’s assessment scope and user requirements.):

• Identify business needs and changes to requirements that may affect overall IT and security direction.
• Review adequacy of existing security policies, standards, guidelines and procedures.
• Analyze assets, threats and vulnerabilities, including their impacts and likelihood.
• Assess physical protection applied to computing equipment and other network components.
• Conduct technical and procedural review and analysis of the network architecture, protocols and components to ensure that they are implemented according to the security policies.
• Review and check the configuration, implementation and usage of remote access systems, servers, firewalls and external network connections, including the client Internet connection.
• Review logical access and other authentication mechanisms.
• Review current level of security awareness and commitment of staff within the organization.
• Review agreements involving services or products from vendors and contractors.
• Develop practical technical recommendations to address the vulnerabilities identified, and reduce the level of security risk.

 Mapping threats to assets and vulnerabilities can help identify their possible combinations. Each threat can be associated with a specific vulnerability, or even multiple vulnerabilities. Unless a threat can exploit a vulnerability, it is not a risk to an asset.

 The range of all possible combinations should be reduced prior to performing a risk analysis. Some combinations may not make sense or are not feasible. This interrelationship of assets, threats and vulnerabilities is critical to the analysis of security risks, but factors such as project scope, budget and constraints may also affect the levels and magnitude of mappings.

 Once the assets, threats and vulnerabilities are identified, it is possible to determine the impact and likelihood of security risks.

 Institutionalizing a practical risk assessment program is important to supporting an organization’s business activities and provides several benefits:

• Risk assessment programs help ensure that the greatest risks to the organization are identified and addressed on a continuing basis. Such programs help ensure that the expertise and best judgments of personnel, both in IT and the larger organization, are tapped to develop reasonable steps for preventing or mitigating situations that could interfere with accomplishing the organization’s mission.

• Risk assessments help personnel throughout the organization better understand risks to business operations. They also teach them how to avoid risky practices, such as disclosing passwords or other sensitive information, and recognize suspicious events. This understanding grows, in part, from improved communication among business managers, system support staff and security specialists.

• Risk assessments provide a mechanism for reaching a consensus as to which risks are the greatest and what steps are appropriate for mitigating them. The processes used encourage discussion and generally require that disagreements be resolved. This, in turn, makes it more likely that business managers will understand the need for agreed-upon controls, feel that the controls are aligned with the organization’s business goals and support their effective implementation. Executives have found that controls selected in this manner are more likely to be effectively adopted than controls that are imposed by personnel outside of the organization.

• A formal risk assessment program provides an efficient means for communicating assessment findings and recommending actions to business unit managers as well as to senior corporate officials. Standard report formats and the periodic nature of the assessments provide organizations a means of readily understanding reported information and comparing results between units over time.