24 January 2016
A risk assessment is a way to identify, evaluate, quantify, and prioritize risks (Gibson, 2011). They are primarily used to assess the overall security of a network from the eyes of an attacker in order to protect the network from intruders (Schmittling, n.d.). There are no regulations instructing organizations on how systems need to be controlled or secured, however there are regulations requiring systems be secure in one way or another (Schmittling, n.d.). The rationale for conducting an assessment include: cost justification, productivity, breaking barriers, self analysis, and communication ...view middle of the document...
d.). The scope helps to decide what needs to be protected the level in which sensitive data is protected.
When defining scope, goals and objectives, responsibilities, specific inclusions and exclusions, assessment time and location, and risk assessment methodology should be determined . Critical areas for an assessment include: web servers, database servers, and internal firewalls (Gibson, 2011).
There are two main types of risk management assessments. They are qualitative and quantitative methodologies. With the qualitative methodology, a relative values are used to determine the probability and impact of a risk (Gibson, 2011). This type of information can be collected quickly. A quantitative risk assessment is used to estimate how much money would be lost should a vulnerability be exploited (Vanderberg, n.d.). With the quantitative methodology, actual dollar values are used. It can take a time to gather this type of data. Once the data is gathered, however, a math formula is used to determine the priority of risks and in turn show the results of controls (Gibson, 2011).
It is my opinion that a combination of both quantitative and qualitative methodologies would work best in a Fortune 500 company. Both quantitative and qualitative methodologies have advantages. Results from a quantitative methodology are more easily reproducible and make it possible to compare and contrast a present assessment with a past assessment. Because the data is not subjective, results are more consistent (Norchiston, 2011). Qualitative assessments seem to be easier to complete, however, because the data is subjective, they are less reproducible (Norchiston, 2011)....