This paper covers the basics of IT risk assessment. To learn more about this topic we
recommend taking the SANS SEC410 IT Security Audit and Control Essentials course, available
both online and via live classroom training.
The fundamental precept of information security is to support the mission of the organization.
All organizations are exposed to uncertainties, some of which impact the organization in a
negative manner. In order to support the organization, IT security professionals must be able to
help their organizations’ management understand and manage these uncertainties.
Managing uncertainties is not an easy task. Limited resources and an ...view middle of the document...
Risk management is nothing new. There are many tools and techniques available for managing
organizational risks. There are even a number of tools and techniques that focus on managing
risks to information systems. This paper explores the issue of risk management with respect to
information systems and seeks to answer the following questions:
• What is risk with respect to information systems?
• Why is it important to understand risk?
• How is risk assessed?
• How is risk managed?
• What are some common risk assessment/management methodologies and tools?
3 What Is Risk With Respect To Information Systems?
Risk is the potential harm that may arise from some current process or from some future event.
Risk is present in every aspect of our lives and many different disciplines focus on risk as it
applies to them. From the IT security perspective, risk management is the process of
understanding and responding to factors that may lead to a failure in the confidentiality, integrity
or availability of an information system. IT security risk is the harm to a process or the related
information resulting from some purposeful or accidental event that negatively impacts the
process or the related information.
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential
vulnerability, and the resulting impact of that adverse event on the organization.i
One of the most widely used definitions of threat and threat-source can be found in the National
Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-30, Risk