Question

Your first lab is to create a risk assessment for your company in your project. You will have to make some assumptions about your company in order to do this project. Some things should be obvious because of the type of data that is involved.

Answer 1

In general, as a whole, and from a broad perspective creating a risk assessment is to identify, assess, and implement key security controls in applications.

Creation of a risk assessment for a company, making some assumptions about the company, keeping some things obvious because of the type of data that is involved, and the below is also a checklist to be maintained and followed up:

* Characterizing and categorizing the system and its type. The system could be a process, function, or and application.
* Identifying, determining, and listing all the threats.
* Determining different deep-rooted risks and impacts.
* Analyzing the control environment.
* Determining a likelihood rating.
* Calculating the risk rating.
* Identifying all possible hazards.
* Determining and deciding who might be possibly harmed and how.
* Evaluating the risks and deciding on control measures, steps, and actions.
* Observing, collecting, reviewing, recording, storing, and preserving the findings and implementing the same.
* Reviewing the assessment and updating it if necessary.
* Identifying and preventing application security defects, bugs, errors, issues, and vulnerabilities.
* Risk assessment should be made an integral part of the company's risk management process.
* Identifying and prioritizing assets, especially IT assets, and critical and valuable assets.
* Securing company data.
* Determining the top five business processes utilizing or requiring this information or data of the company.
* All factors must be high, as even if one single factor is zero when it is multiplied by the other factors, the result would be zero.
* Analyzing controls.
* Determining the possibility of an incident.
* Assessing the impact a threat could cause, and the degree of the impact.
* Assessing and estimating the loss, damage, hurt, or harm caused due to the threats or attacks.
* Prioritizing the information security risks.
* Making security job zero.
* Recommending controls.
* Documenting the results.
* Risk is to be determined, calculated, and computed based on the below formula:
Risk = Asset X Threat X Vulnerability
* Identifying potential and possible consequences.
* Identifying different threats and their levels.
* Assessing different risks.
* Identifying different risks.
* Estimating different risks.
* Evaluating different risks.
* Mitigating the different risks.
* Monitoring and reviewing different risks.
* Creating a risk management plan.
* Creating a strategy.
* Defining mitigation processes.
* Following the Event -> Response -> Analysis -> Mitigation