Performing a risk assessment is crucial for applying security by design. Without a risk assessment you waste time, effort and resources. There is no point implementing security measures to defend against events if you do not know if they are relevant for your situation.
You must understand the value, importance, and sensitivity of your information that is involved in your new product. Vulnerability assessment is a key factor in security.
Following a risk management approach will help you identify other scenarios that could occur in your organisation.
Not all information should be treated equally. Some information is more valuable or sensitive, requiring a greater level of protection.
A typical risk assessment consists of collecting a lot of information. Information that is typically needed for a good risk assessment is:
Security requirements and objectives.
System or network architecture and infrastructure, such as a network diagram showing how assets are configured and interconnected.
Information available to the public or accessible from the organization’s web site Physical assets, such as hardware, including those in the data centre, network, and communication components and peripherals (e.g., desktop, laptop, PDAs)
Operating systems, such as PC and server operating systems, and network management systems
Data repositories, such as database management systems and files
A listing of all applications
Network details, such as supported protocols and network services offered
Security systems in use, such as access control mechanisms, change control, antivirus, spam control and network monitoring
Security components deployed, such as firewalls and intrusion detection systems
Processes, such as a business process, computer operation process, network operation process and application operation process
Identification and authentication mechanisms
Government laws and regulations pertaining to minimum security control requirements
Documented or informal policies, procedures and guidelines
Doing a risk assessment (RA) is time consuming and often expensive. But you must do it. At least once. Since the only certainty is continuous change: It is very important to repeat your risk assessment on regular intervals. This is a must do from your security management plan. And the only way to stay in control.
Try to automate and reuse collected information from previous assessments easier and generate information where and whenever possible.