Risk Assessment
Risk assessment is a key component of holistic, organization-wide risk management process.
Risk Management Processes include:
- Framing Risk
- Assessing risk
- Responding to risk
- Monitoring risk.
Risk Assessment
Risk assessment is the process of identifying, estimating and prioritizing information security risks.
The purpose of the risk assessment component is to identity.
- Threats to organization (i.e, operation, assets, or individuals) or threats directed through organization against other organizations.
- Vulnerabilities internal and external to organizations
- The harm (i.e.,, adverse impact) that may occur give the potential for threats exploiting vulnerabilities.
- The likelihood that harm will occur.
Critical Aspect of Risk Assessment
At minimum, the risk assessment should cover:
- Risk of service failure and associated impact
- Insider threat risk impact: for example, what happens if a cloud provider system administrator steals customer data?
- Risk of compromised customer to other tenants in the cloud environment
- Risk of denial-of-service attacks (DOS).
- Supply chain risk to the cloud provider
Control should be in place to mitigate identified risks.
Risk Response
Risk response provides a consistent, organization-wide response ot risk in accordance with the organizational risk frame by:
- Developing alternative course of action for responding to risk
- Evaluating the alternative courses of action
- Determine appropriate courses of actions consistent with organizational risk tolerance
- Implementing risk response based on selected courses of actions.
Potential controls and solution:
- Data Leakage Prevention (DLP): For auditing and preventing unauthorized data exfiltration.
- Encryption: For preventing unauthorized data viewing
- Obfuscation, Anonymization, tokenization, and masking: Different alternative for protecting data without encryption.
Risk Assessment/Analysis
In the end every cloud-consuming or cloud-providing organization remains responsible for its own risk assessment.
The following general categories of risk can be identified.
- Policy and Organization Risks
- Technical Risks
- Virtualization Risks
- Specific Technical Risks
- Legal Risks
- Non-Cloud-Specific Risk