risk assessment on information securityAngelo Sala - November 2010

http://www.flickr.com/photos/borghetti/43058749/

goal: to reduce risks related to

information security

http://www.flickr.com/photos/keylosa/184606430/

you have to identify risk activities among

sensitive processes

http://www.flickr.com/photos/emiliano-iko/4045654001/

1. IT (information technologies)

http://www.flickr.com/photos/johnseb/3425464/

identify risk factors …

2. organization

http://www.flickr.com/photos/thomasguest/3581215442/

3. human resources

http://www.flickr.com/photos/pietel/3468574846/

4. environment

http://www.flickr.com/photos/theplanetdotcom/4878805271/

identify and classify risks by

factors and …

http://www.flickr.com/photos/stephenpoff/3032885683/

by information values

http://www.flickr.com/photos/sidelong/305305214/

1. data integrity

2. confidentiality

http://www.flickr.com/photos/giltron/315026788/

3. availability

http://www.flickr.com/photos/davidjwbailey/3676408544/

you have to estimate bad

event probability

http://www.flickr.com/photos/jackpix/146384867/

evaluate damages ($)

http://www.flickr.com/photos/dawn_perry/237343945/

if the company reputation is involved

http://www.flickr.com/photos/striatic/2191404675/

so you get risk levels that could increase …

.. and finally you have to establish mitigation actions

in order to reduce risk level

Number of risks identified * (Middle & High level)

human resources

organization

IT

environment

45

5

11

27

* fake data

Measured vs. Expected * risk index

31,5

9,5

15,5

20

22,5

12,25

6,25

16,5

human resources

organization

IT

environment

* fake data

and then …

you’ll have to roll up your sleeves and start mitigation actions

http://www.flickr.com/photos/pennstatelive/5059771553/