Risk Assessment

Risk assessment is a key component of holistic, organization-wide risk management process.

Risk Management Processes include:

Risk Assessment

Risk assessment is the process of identifying, estimating and prioritizing information security risks.

The purpose of the risk assessment component is to identity.

Threats to organization (i.e, operation, assets, or individuals) or threats directed through organization against other organizations.
Vulnerabilities internal and external to organizations
The harm (i.e.,, adverse impact) that may occur give the potential for threats exploiting vulnerabilities.
The likelihood that harm will occur.

Critical Aspect of Risk Assessment

At minimum, the risk assessment should cover:

Risk of service failure and associated impact
Insider threat risk impact: for example, what happens if a cloud provider system administrator steals customer data?
Risk of compromised customer to other tenants in the cloud environment
Risk of denial-of-service attacks (DOS).
Supply chain risk to the cloud provider

Control should be in place to mitigate identified risks.

Risk Response

Risk response provides a consistent, organization-wide response ot risk in accordance with the organizational risk frame by:

Developing alternative course of action for responding to risk
Evaluating the alternative courses of action
Determine appropriate courses of actions consistent with organizational risk tolerance
Implementing risk response based on selected courses of actions.

Potential controls and solution:

Data Leakage Prevention (DLP): For auditing and preventing unauthorized data exfiltration.
Encryption: For preventing unauthorized data viewing
Obfuscation, Anonymization, tokenization, and masking: Different alternative for protecting data without encryption.

Risk Assessment/Analysis

In the end every cloud-consuming or cloud-providing organization remains responsible for its own risk assessment.

The following general categories of risk can be identified.

Published by Upen Patel