Security Risk Assessment

A security risk assessment identifies, assesses, and implements key security controls in applications. It also focuses on preventing application security defects and vulnerabilities.

Carrying out a risk assessment allows an organization to view the application portfolio holistically - from an attacker's perspective. It supports managers in making informed resource allocation, tooling, and security control implementation decisions. Thus, conducting an assessment is an integral part of an organization's risk management process.

• We assess to understand the Cyber/IT security posture of a company, the accepted best practice - and surest way is to conduct a security risk assessment. A security risk assessment consists of a vulnerability assessment and assessing risks posed by weak, incomplete or absent policy, procedures, personnel, technology and strategy related to IT Security.

1. Identify company assets– these could be proprietary information, hardware, software, client information, network topology, etc. It's best to collaborate with other departments to determine other valuable company assets and which ones to prioritize.
2. What are the threats?- be aware of these main sources of threats:
   • Natural disasters
   • Human error / malicious intent
   • System failure
3. What are the vulnerabilities?- Vulnerabilities are weaknesses in security that can expose assets to threats. Conduct internal audits, penetration testing, etc, to find vulnerabilities in your organization.

4. Likelihood of incidents- assess the assets' vulnerability to threats and the likelihood of an incident happening.
5. What are the possible repercussions?– One or a combination of the following can happen if company assets get impacted by threats: legal action, data loss, production downtime, fines and penalties, negative impact on company reputation, etc.
6. Determine controls- Determine what controls are already existing to mitigate threats. New controls may need to be implemented or old ones updated to adapt to new and changing threats.
7. Continuous improvement- Document and review the results of risk assessments and always watch out for new threats.