How do you assess IT Risk ?? Please share your way of assessing IT Risk ...

grtgrt Member Posts: 5 ■□□□□□□□□□
Hi all, I would like to discuss about various IT risk assessment methodologies and the methodology you prefer.

Here's the method we follow.

It's gonna be qualitative methodology.

Formula to calculate risk : Risk = Asset value * Threat * Vulnerability.

High - 3, Medium -2, Low -1

Asset value : Highest value in AIC. (Availability, Integrity, Confidentiality)
AIC values will be given based on the impact on loss of AIC for each asset.
example : A Database server of critical application will be given High for all three Availability, Integrity,Confidentiality.
whereas for a user workstation, availability will have less value and that's not gonna matter since highest value in AIC triad is taken as asset value.

Threat : Common threats are considered for a newly provisioned IT asset. i.e. Hardware failure, configuration failure, power failure, unauthorized access and many. Apart from these, threats found from VAPT will be included.

Vulnerability : It's calculated on account of likelihood of occurrence. We usually check the control gap for a respective threat and vulnerability is calculated based on likelihood.

Example : As we spoke about a DB server.

Asset value =High = 3.

Threat = unauthorized access = High = 3
Vulnerability = inadequate access control = High = 3

Hence Total risk = 27

Another example.

Asset value = High = 3

Threat = Database corrupted = High = 3

Control Implemented : Log shipping on Database is set to 60 minutes.

Vulnerability = Data loss = Medium = 2

Hence Total risk = 18

For us accepted risk value is <=9. Anything more than that, has to undergo risk treatment plan.

I know our methodology is simple. But we wish to enhance and more accurate.

Kindly share your methodology and the flaw you find in our method.


- G


Sign In or Register to comment.