So you're tasked with performing a risk assessment within your organization. You searched Google and came across this article or maybe found it posted on LinkedIn, and you want to get down and dirty with risk. This article is to focus on what risk is and why it's important, as well as how to perform a simple assessment on your path to mitigation.
What is Risk?
A typical definition of risk would be something along the lines of "the likelihood of loss or financial loss to your organization." Simple enough, but an easy way to determine what a risk truly is would be asking yourself (or your manager), "What is the impact on the business?" Risk is a business concept along with all of the other trendy buzzwords in our industry. However, risk impacts more than just IT and covers all aspects of business. Risk is not just a focus around hackers and cyber security theories, which is actually the minority. In fact, human error, equipment/software failure, and natural disasters are among some of the hot topics with risk.
Why is Risk Important?
Try looking through a different lens. You're a stakeholder at an organization. The organization has servers exposed to the Internet to some extent. Your organization pays Bob down the street who does part time web design to maintain your data center. Bob prefers Netgear routers over Linksys. Do you see where I am going with this? As a stakeholder, you SHOULD be concerned about risk. Your business is sitting out there on the Internet behind some kind of firewall. Is it secure and locked down? Is it actively monitored? Is it being updated? There are dozens of questions I can think of off the top of my head and at the end of the day, risk is very important.
From an IT standpoint, a simple risk assessment can be conducted by doing a SWOT analysis. Google that for more color. Basically, you will want to write down all of the Strengths, Weaknesses, Opportunities, and Threats that you can think of about your environment. Think software, hardware, storage, physical security, patch management, redundancies, etc. Simply make a list of all of those things as well as any vulnerability, then form a risk committee to discuss and build the list even further. After the committee discusses the outcome, spin off action items to mitigate any risk.
Full risk assessments should be conducted quarterly. If your enterprise is large enough and you have IT security personnel, this would be a big part of their job - risk mitigation enforcement and auditing. Risk committees should be made up of professionals that know the environment inside and out. If you follow the basics of risk outlines in this article, you should a good start in managing risk and making your auditors happy (as well as your stakeholders)!