4. Risk-Assessment Methodologies

In the previous chapter, the goals and objectives for conducting a risk assessment were presented. These goals and objectives provide many reasons why an organization should conduct a risk assessment on its IT and network infrastructure. In some cases, new laws, mandates, and regulations such as HIPAA, GLBA, FISMA, and SOX require organizations to conduct periodic risk and vulnerability assessments and implement defined security controls. This, coupled with the creation and implementation of an IT security architecture and framework, provides the necessary foundation for an organization to properly manage and mitigate the risks caused by threats and vulnerabilities to an IT and network infrastructure.

This chapter first presents risk-assessment terminology commonly used when discussing risk management and risk-assessment topics. After these terms and definitions are presented, the chapter will present to the reader the different methodologies and approaches for conducting a risk assessment on an IT infrastructure and its assets. The reader will learn the steps needed to conduct a risk assessment using different methodologies or approaches. However, no matter what methodology or approach is used, it is important that the organization address how asset management and proper inventorying of the organizations IT assets are to be handled. After the IT systems, applications, and data assets are inventoried, the organization must prioritize them based on importance to the organization. This prioritization is critical because many organizations do not have unlimited funds to implement proper security controls and security countermeasures to mitigate the identified risk from threats and vulnerabilities. This prioritization is typically aligned to the organization’s business drivers, goals, and objectives. Then, assessing the risk of threats and vulnerabilities on an organization’s IT hardware, software, and assets can be done qualitatively, quantitatively, or via a hybrid approach.