Overview of IS Risk Assessment (IP) Research Paper

Overview of IS Risk Assessment (IP) - Research Paper Example Measurements consist of (Sun, Srivastava, & Mock, 2006): Cost which is used to protect the information and systems Value of the information and information systems Threat probability and occurrence Effectiveness of Controls Prior to Risk Assessment Before conducting risk assessment, primary factors are considered. The identification of information assets lays the foundation for further assessment. Information assets are defined as the entities that hold organization data. A good discussion is available on ‘www.ibm.com’ which states it as, information assets precisely resembles with the nature of business and business strategy of the organization. Likewise, these information systems may be subjected to contractual and legislative compliance requiring protection from threats and mission critical systems. The information assets for an organization will be the technology assets, data asset, service asset and people asset. In a typical scenario of an organization’s net work, the owners for server hardware will be the server administration group. The owners for the applications running on the servers will be the application support group and the owners for the data, which is stored on the server, will be system development group. Question needs to be answered Moreover, the risk management process involves the implementation of safeguards and controls that are continuously observed. Likewise, risk management identifies information assets along with their weaknesses and prioritizes them as per severity and business impact. The self-examination process of risk management assists managers to identify and mark severity of information assets. However, it is not a fact that assets are only indicating as systems, they also includes people, hardware and software components. Moreover, risk management also reflects asset classification, categorization of groups with respect to business impact against each identified asset; there are certain questions that nee d to be answered: What is the most important or mission critical asset for the organization? Which asset generates profit for the organization? Which asset provides revenue for the organization? Which information asset has the most replacement cost? Which information asset requires significant protection cost? Which information asset reflects the most significant liability when breached? Phases of Risk Assessment The first phase of risk assessment is the investigation phase. The investigation phase is conducted to gather information regarding the system and resources. The threats are prioritized before assessment. The identification of critical components is conducted in order to prioritize threats. After prioritization, related plug-in is selected before execution. Risk assessment includes the scanning of all open ports of the system. This phase also conducts scanning of all known vulnerabilities. The next phase includes reporting of the findings which are extracted by investigatio n phase. The findings are then categorized in different priorities. The report illustrates open ports, number of vulnerabilities found at high status, number of vulnerabilities found at medium status, number of vulnerabilities found at low status (Fenz, Ekelhart, & Neubauer, 2011). Report also includes host information including the ‘netbios’ name, DNS name and operating system. This phas