What is the Risk?
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. In order to minimize the impact on the organization, a Risk Assessment is made to maximize the security on all your assets.
The Risk Assessment
Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system throughout its SDLC (Systems Development Life Cycle).
OpenVAS and OWASP ZAP support
Import an entire network scan OpenVAS or OWASP ZAP report to retrieve all the informations about your previously defined network and continue the Risk Assessment process. You can even import a single resource scan report while defining an asset, adding even more informations to your Risk Assessment.
Learn which are the NIST 800-30 Framework Risk Assessment 9 steps before proceding.Get Started or Proceed Now
Step 1System Characterization
You define all the assets, the resources and the information that constitute your system. (e.g., hardware, software, system connectivity, and responsible division or support personnel)
Step 2Threat identification
You identify the potential threat-sources and compile a threat statement listing potential threat-sources that are applicable to the IT system being evaluated. (e.g. Computer criminal that should hack your system)
Step 3Vulnerability identification
You define a list of the system vulnerabilities (observations) that could be exercised by the potential threat-sources. (e.g. your router firmware has a bug which allows unauthorized users to gain root access)
Step 4Control Analysis
In this step you analyze the controls that have been implemented, or are planned for implementation, by the organization to minimize or eliminate the likelihood (or probability) of a threat’s exercising a system vulnerability. (e.g. currently installed firewall prevents unauthorized access from outside the organization)
Step 5Likelihood Determination
The objective of this step is derive, with the previous considerations, a likelihood rating score for each vulnerability (e.g. after all the considerations and researches, you estimated that a hard drive can fault one time every two years, so you give it a score of 0.5 out of 1.0)
Step 6Impact Analysis
The objective is determine the adverse impact resulting from a successful threat exercise of a vulnerability (e.g. after all the considerations and researches, you estimate that a hard disk fault means losing some of your datas, so you give it a score of 8 out of 10)
Step 7Risk Determination
The purpose of this step is to assess the level of risk to the IT system using the Likelihood scores and Impact scores you provided before.
Step 8Control Recommendation
During this step of the process, controls that could mitigate or eliminate the identified risks, as appropriate to the organization’s operations, are provided. The goal of the recommended controls is to reduce the level of risk to the IT system and its data to an acceptable level. (e.g. you might want to buy a backup disk or make a RAID redundancy control, so you suggest it in your report via a recommended control)
Step 9Results Documentation
The final report summarize all the threats, vulnerabilities, controls and risk scores previously defined. The report should be given to your CISO.Proceed Now