Assessing the Risk in an Enterprise
- Abhilasha
- Jul 8, 2024
- 1 min read
Facilitated Data Gathering:
Collecting information about organizational assets, their descriptions, security threats they face, vulnerabilities, current controls in place, and proposed new controls.
Key to success: Collaboratively meeting with stakeholders, building support, maintaining a positive dialogue, and being well-prepared.
Identifying and Classifying Assets:
Assets are anything valuable to an organization, classified based on their impact:
High impact: Critical to business operations.
Moderate impact: Significant but not critical.
Low impact: Essential but replaceable.
Organizing Risk Information:
Structuring discussions around key questions:
What assets need protection?
How valuable are these assets?
What risks threaten these assets?
How might these risks cause damage?
How exposed are these assets to risk?
What mitigations are currently in place or planned?
Estimating Asset Exposure:
Exposure refers to potential damage to an asset:
High exposure: Severe or total loss.
Medium exposure: Limited or moderate loss.
Low exposure: Minor or no loss.
Estimating Threat Probability:
Assessing the likelihood of threats and vulnerabilities:
High probability: Likely to occur within a year.
Medium probability: Expected within two to three years.
Low probability: Not expected within three years.
Comments