Within this eBook you will learn the steps involved in performing a risk analysis and why they are important. A proper risk analysis will allow you and management to understand your technology assets and their vulnerabilities. You will also identify threats to your assets and steps to protect them.
This book is ideal for the Information Technology professional in charge of the operation and security of a network of any size. Individuals with the need to define their assets and proactively protect them from hostile threats in an ever growing technology landscape will benefit from reading this eBook.
Whether in the public or private sector, businesses rely on information systems to carry out their business functions. Information systems can range from simple office networks, financial and personnel systems to highly specialized systems, such as those found in the military. Information systems are vulnerable to threats that can have a negative impact on an organization s operations, assets and reputation. These threats, both known and unknown, take advantage of system vulnerabilities to compromise the confidentiality, integrity, or availability of the information being processed, stored, or transmitted by those systems. Threats can be calculated attacks, environmental interferences, and machine errors and can result in great harm to business continuity. It is a necessity that management, at all levels, understand their responsibilities and are held accountable for managing information security risk.
A Network Risk Analysis (NRA) is one of the key components of an organizational risk management process. A NRA will identify, prioritize, and estimate risk to an information system that may disrupt operations, assets, processes, and business continuity.
The purpose of a NRA is to identify:
Threats to information systems
Vulnerabilities internal and external to information systems
Impact to business continuity that may occur given the potential for threats exploiting vulnerabilities
The likelihood that harm will occur.
The end result (or benefit) of performing a risk analysis is the understanding of the level of risk within the network. NRAs are used to evaluate information system security related risks associated with corporate governance and management activities, mission/business processes or enterprise architecture, and funding of information security programs. NRAs are also used to support a corporate risk management framework (security categorization, security control selection, security control implementation, security control analysis, information system authorization, and monitoring).