CUC 2004 A5 Miroslav Bača - The Risk Assessment of Information System Security
Every organisation today which are use information technology have problem with information system security. The first step in process of protection of an information system is identification and classification of information resources or assets, which need protection, because they are vulnerabilities to threats. The major purpose of the classification is to prioritize further investigation and identify appropriate protection. The typical assets associated with information and information technology includes: information, hardware, software, people, services and documents. Risk assessment is process of assessing security-related from internal and external threats to an entity, its assets, or personnel. Also, we can say that the risk assessment is process of identifying vulnerabilities and threats to an organization’s information resources (difference in terminology between the risk analysis and the risk assessment brings a new vague in the risk management process). Generally, risk can be transferred, rejected, reduced or accepted, but risk never eliminated, and they can be describing in the follow mathematical equation: Total risk = threats x vulnerability x asset value. When we develop risk management and assessment program, we must follow next steps: 1. Understand the organization and identify the people and assets at risk, 2. Specify loss risk events and/or vulnerabilities, 3. Establish the probability of loss risk and frequency of events, 4. Determine the impact of events, 5. Develop options to mitigate risk, 6. Study the feasibility of implementation of options and 7. Perform a cost benefit analysis. For developing a risk management and assessment program we must use some of the various methods and techniques for risk assessment, which can be complete or incomplete. Differences between these two approaches in process of risk assessment determine which approach will be implemented in particular organization. The risk assessment process is about creation decisions. The impact of a successful attack and the level of suitable risk for any given situation is a basic strategy decision. A primary problem of risk management is to accomplish a cost-effective balance between design characteristic and the related countermeasures to threats and impact. This paper describes an analysis and comparison of complete methods for risk assessment major representative like British Standard (BS); CCTA Risk Analisys and Management Method (CRAMM); Consulative, Objective and Bi-functional Risk Analysis (COBRA); RuSecure; Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) and Failure Mode and Effects Analysis (FMEA), which is the first step in process of develop a new method for risk assessment for the particular organisation.