Starting a full security risk assessment in any size of organisation can be extremely daunting if it’s something you’ve never tried before. However before you get too involved in complicated charts, diagrams and long drawn out forms and flowcharts it’s best to take a step back. There’s a simple goal here and that’s to try and assess and address any security risks in your organisation. It’s presumably a subject you will have some opinion and knowledge about so try and focus and don’t turn the exercise into something too complicated with little practical use.
Many people, when questioned as part of a risk assessment will prepare an answer, they will start to look at the nuts and bolts of the system. They’ll give opinions on just how this and that widget is weak, and how someone can get access to them and people documents, and so forth and so on. That’s just a technical evaluation of the system, which might or might not be useful. Whether or not it’s useful will be based on the answer to an essential question. The experienced safety professional will have asked this question before answering the enquirer. If the system is not being used for it’s intended purpose that’s a completely different issue but it obviously would impact security in certain instance.
For example if company PCs are being used to stream video or route to inappropriate sites to watch ITV Stream abroad whilst at work, this introduces additional risks. Not only could the integrity of the internal network be affected, the connection will also effect the speed while streaming large amounts of video across the network. There is no doubt that this behaviour should be flagged if encountered within the assessment although it’s not a primary function of the investigation.
The important question is: What do you mean by secure? Security is a comparative term. There’s not any absolute scale of unhappiness or level of security. Both conditions, secure and security only make sense when translated as attributes of something you consider precious. Something that’s somehow the risk needs to be secured. How much security does this need? . Well that depends on the value and upon the operational threat. How do you measure the operational threat? . Today you’re getting into the real questions which will lead you to an understanding of what you actually mean by the term secure. Measuring and prioritizing business risk security is utilized to defend things of value.
At a business environment things which have value are usually called assets. If assets are somehow damaged or destroyed, then you may suffer a business impact. The prospective event by which you are able to suffer the harm or destruction is a danger. To prevent threats from crystallising into loss events that have a business impact, you use a coating ol protection to maintain the threats from your assets. When the assets are badly protected then you’ve a vulnerability to the danger. To enhance the security and reduce the vulnerability that you present security controls, which may be either technical or procedural.
The process of identifying commercial assets, recognizing the threats, assessing the degree of business impact that could be suffered if the threats were to crystallize, and analysing the vulnerabilities is known as operational hazard assessment. Implementing suitable controls to put on a balance between usability, security, cost along with other business needs is called operational hazard mitigation Operational hazard assessment and operational hazard mitigation collectively comprise what can be call til operational risk management. Later chapters in this book examine operational risk management and will help you deal with actual incidents such as people trying to watch the BBC abroad on your internal VPN server! The main thing you will need to comprehend this stage is that hazard management. All about identifying and prioritizing the dangers throughout the hazard assessment l procedure and degrees of control in line with these priorities.