Risk assessment is the exercise of determining the qualitative or quantitative value of risk associated with one or more threats against a defined environment. Risk assessment differs from the more familiar IT security assessments by factoring in the likelihood of the realization of risk and its potential impact on the target environment.
eSafe has mastered a detailed methodology on which our consultants performing assessments have had rigorous training. We use a consistent approach and toolset to ensure that assessments are carried out to the same level of detail and focus regardless of the factors associated with the assessment or the customer environment selected. While the risk assessment methodology allows our customer flexibility in the selection of focus areas, the process used to perform the assessment and to capture the metrics needed for risk analytics will be the same across standard practices.
An IT risk assessment does more than just tell you about the state of security of your IT infrastructure; it can facilitate decision-making on your organizational security strategy.
eSafe IT risk assessment approach covers a multitude of technical, physical and human threats to give your organization a complete view of its threat environment and the risks associated with it.
Risk Assessment Process Overview
The process for Risk assessment starts by identifying a list of relevant threats to the organization. Threats are divided into adversarial and accidental threats. The risk assessment phase consists of determining the likelihood and the severity of threats and vulnerabilities. Not all threats are equal—some happen more often than others, and others are more devastating to the organization’s infrastructure. The first step in identifying the worst threats is to find out how likely it is that the threat will occur. Next, we quantify the impact the threat could have on the enterprise. Then, by mapping threats and vulnerabilities, likelihood, and impact to critical information, processes, and information assets, we will determine a scale to rate the severity of the consequences of an event or a
breach in security. This will help determine which threats or vulnerabilities our customers need to prepare for.
The overall Likelihood of the threat is then derived as a function of the threat likelihood of occurrence and the vulnerability level/likelihood of success.
Impact is then determined based on the expected impact on the organization if the threat is successful. Finally Risk is measured as a function of the Overall Likelihood of the Threat and the Level of adverse impacts it is expected to cause when it occurs.