Security Risk Assessments are a vital insight into your organizations security gaps, vulnerabilities and most importantly strengths. To not dive too deep into the technical structure and methodology of a comprehensive Security Risk Assessment, we provide this brief and mostly non-technical article to break down the basic components.
Recognize – more commonly stated as Identify the hazards or risks. Before you really can do that, you need to know and understand the difference between what a hazard is and what a risk is. A hazard is “something” with the potential to cause you, your organization, your employees, your reputation harm. A risk that “likelihood” of that harm actually happening.
Impact – more commonly known as deciding who is going to be harmed and how. Who’s going to feel it, how is it going to happen? Almost like trying to figure out whether or not it is the butler in the den with the candlestick …for those who appreciate a good game of Clue.
Bump – So you’ve recognized the hazards and risks and you’ve figured out where the impact is going to be. Now what? Now you have to protect it or at least put some form of management or control piece in to either slow it down or stop it completely from happening and affecting you. The virtual or very much physical speed bump.
Note it – Write it down, digitally record it, take pictures, tell a few people. Do what you need to, to record it. Why…because you want to monitor your success. You want to know that the bump you’ve put in place is working or needs to be re-recognized because the impact may have changed. It’s also due diligence. You can show that you know that there is or was something that raised whatever level of concern, you thought about it, did something about it and continue to watch it.
Recognize it again – Plan the Work. Work the Plan. Once you’ve done the assessment you need to do it again. You need to understand what is working, what has changed, what is new and what are you doing about it.
This article is to serve as a high level awareness tool. Unfortunately it doesn’t remove the complexities of your operation or the complexities of the security risk assessment. But boiling it down to it’s barest components allows you to understand the varying phases or steps that are taken during a security risk assessment. It’s important to note and understand that each of these components can be expanded and contracted as necessary to have a myriad of steps or components within each of them.
Nevertheless it all falls back to these high level principal components.