Risk Assessment

Risk assessment is a key component of holistic, organization-wide risk management process.

Risk Management Processes include:

  • Framing Risk
  • Assessing risk
  • Responding to risk
  • Monitoring risk.

Risk Assessment

Risk assessment is the process of identifying, estimating and prioritizing information security risks.

The purpose of the risk assessment component is to identity.

  • Threats to organization (i.e, operation, assets, or individuals) or threats directed through organization against other organizations.
  • Vulnerabilities internal and external to organizations
  • The harm (i.e.,, adverse impact) that may occur give the potential for threats exploiting vulnerabilities.
  • The likelihood that harm will occur.

Critical Aspect of Risk Assessment

At minimum, the risk assessment should cover:

  • Risk of service failure and associated impact
  • Insider threat risk impact: for example, what happens if a cloud provider system administrator steals customer data?
  • Risk of compromised customer to other tenants in the cloud environment
  • Risk of denial-of-service attacks (DOS).
  • Supply chain risk to the cloud provider

Control should be in place to mitigate identified risks.

Risk Response

Risk response provides a consistent, organization-wide response ot risk in accordance with the organizational risk frame by:

  • Developing alternative course of action for responding to risk
  • Evaluating the alternative courses of action
  • Determine appropriate courses of actions consistent with organizational risk tolerance
  • Implementing risk response based on selected courses of actions.

Potential controls and solution:

  • Data Leakage Prevention (DLP): For auditing and preventing unauthorized data exfiltration.
  • Encryption: For preventing unauthorized data viewing
  • Obfuscation, Anonymization, tokenization, and masking: Different alternative for protecting data without encryption.

 Risk Assessment/Analysis

In the end every cloud-consuming or cloud-providing organization remains responsible for its own risk assessment.

The following general categories of risk can be identified.

  • Policy and Organization Risks
  • Technical Risks
  • Virtualization Risks
  • Specific Technical Risks
  • Legal Risks
  • Non-Cloud-Specific Risk