|
Information
Threat and Risk Analysis
You have a good IT infrastructure and it is working fine. Ever
thought it is prone to many threats and risks?
Every business has risk. Every
equipment is prone for failure which may result in business loss.
And then we have terrorism, natural calamities. Is your IT
infrastructure capable of taking care of all threats and risks?
A risk analysis is a systematic examination of assets, threats, and
vulnerabilities in your organization.
This risk analysis provides the foundation for the
development of an appropriate IT Security Program. Risk analysis is
extremely important to determine the level of protection required
for your IT infrastructure such as networks, applications, systems,
facilities and other enterprise assets.
A risk analysis shall identify dependence and
vulnerabilities on existing IT assets. Look for the probabilities of
threats occurring to existing IT assets and possible damage or
losses due to the threats, if they occur. Identify the safeguards or
countermeasures to be designed to reduce the threats and
vulnerabilities to an acceptable level.
For every threat you can have more than one strategy or
countermeasure. Depending on the seriousness of the threat one must
adapt to the appropriate strategy to make the best use of available
resources.
The main goal of the risk analysis process is to
determine an acceptable level of risk that considers the security of
organization and its shared resources, This
also shall address business strategy and the overall cost of
countermeasures.
Risk analysis must be done when introducing
significant new processes/systems are introduced or being
considered. Risk analysis has to be done when major changes are made
to an organization’s existing IT Infrastructure.
The following shall be taken care of while conducting a risk
analysis.
Information Asset Review
Identify
the criteria to take inventory of your IT infrastructure. Document
the criterion. Do an exhaustive, item by item asset review and
record the same. All hardware and software must be properly
identified. Identify the assets that are critical to ongoing
operations or which contain confidential or critical data. If you
are introducing new systems or processes, review whether the current
IT infrastructure can take care of the new requirement. Else, if you
are procuring new systems ( software and/or hardware), analyze
whether the new systems create any mismatch or introduce
threat to IT flow.
Business
Impact Analysis
These days entire business depends on your IT
infrastructure. Any failure of the computing environment disrupts
the business. If you have an ERP, you may have configured the
equipment dispatch procedure. If
the workstation fails, you can not simply dispatch the equipment
even if the equipment manufactured is ready. You may need to have a
strategy in place to take care of these failures. Do you have an
alternative server handy to replace or replication/backup in place?
What if your email system fails and critical business mails bounce
off the net?
Hence the purpose of the business impact analysis
is to document the potential impact of loss of the assets on your
organization. Consider
all the possible losses covering operational, financial, and legal
impacts.
Vulnerability Analysis
Every
IT infrastructure has its own vulnerability. Hence vulnerability
analysis may be used to identify vulnerabilities associated with
information assets. You
would have by now completed the information asset review. Now you
analyze the vulnerability associated with this existing IT
infrastructure.
Threat Analysis
IT infrastructure deals with lot of data and the
communications. More and
more telecommunication resources depend on computers and
telecommunication is becoming an integral part of IT infrastructure.
A threat analysis shall be conducted to identify threats that could
result in the intentional or accidental destruction, modification of
data. The cause for a threat could be from external as well as
within the organization. It
is easier to handle external threat using firewalls etc. However
internal threats are the most difficult as they may know more on how
to break your systems. Address all kind of threats.
Risk Analysis
Consolidate
and review the vulnerabilities and threats to all identified assets
of your IT infrastructure. This
is called risk analysis. Risk analysis is aimed at laying foundation
for security program planning after determining the likelihood and
impact of the vulnerabilities and threats.
Conclusion:
You know your IT infrastructure well. And you are
the best person to identify vulnerabilities and risks in your IT
infrastructure. Review
and document them properly. Educate the users of the computing
environment regarding the effective usage of hardware and software.
Any unintentional data damage affects the organization and its
business. Take care of Back ups (preferably in geographically
different location.). Never keep back up on the same machine. Keep
your disaster recovery programs in place. Emails have become
critical in today’s world. Ensure that email flow is never
interrupted. As long as your computing environment is healthy, you
can have a nice and peaceful life.
|