Furthermore, a risk-management process will help you prioritize these issues should you lack the resources necessary to address them all immediately.
1. Establish the risk assessment team. The team is formed to collect, analyze and report the assessments to the management. It is important that all aspects of the activity work flow be represented on the team, including human resources, administrative processes, automated systems, and physical security. The reason is to plan things before hand so that it becomes easy to go by. The team members on the other hand will have to attend and participate in the meetings, they will have to take the responsibility of achieving goals and objectives. The team members will also have to work hard for effective teamwork and communications, share responsibility for all team decisions and share knowledge and expertise with the team. The team members would themselves have to provide leadership where appropriate and last but not the least, will have to participate in training sessions where required.
2. Set the scope of the project. ...
should identify at the outset the objective of the assessment project, department, or functional area to be assessed, the responsibilities of the members of the team, the personnel to be interviewed, the standards to be used, documentation to be reviewed, and operations to be observed. When the scope of a project is discussed, the output is in terms of time and cost. Scope is important because experience team members would know how changes in scope cause an issue. As the things proceed scopes do change, as the team members are not aware of the actual outcomes of things.
3. Identify assets covered by the assessment. Assets may include, but are not limited to, personnel, hardware, software, data (including classification of sensitivity and criticality), facilities, and current controls that safeguard those assets. It is key to identify all assets associated with the assessment project determined in the scope.
4. Categorize potential losses. Identify the losses that could result from any type of damage to an asset. Losses may result from physical damage, denial of service, modification, unauthorized access, or disclosure. Losses may be intangible, such as the loss of the organizations' credibility. It is only after knowing these losses can the team think of threats that may occur. More than one individual gathers the potential loss or anything concerning this. Everyone can give his or her own comments. The more different possibilities are taken out, the more prepared a team becomes incase of an event.
5. Identify threats and vulnerabilities. A threat is an event, process, activity, or action that exploits a vulnerability to attack an asset. Include natural threats, accidental threats, human accidental threats, and human malicious threats. These could include power