Found an interesting article at Intel's blog, which digs into the ever-so necessary evil of performing a risk assessment. As Brain Willis, the author of the piece, states, no one ever wakes up in the morning thinking, "What a great day, I think I’m going to do a risk assessment."
At best, risk assessments are painful, which is why it is so important to ask these three initial questions before embarking on a comprehensive risk assessment.
Question 1: Identify what question you are trying to answer. While this may seem overly simplistic, this actually is more like throwing down bread crumbs so you can find you’re way out of the thicket. A risk assessment can get very complex very fast, and the answer to this question can help keep you on to the straight and narrow path.
Question 2: What is the scope of the risk assessment? This establishes the boundaries of the risk assessment, and prevents it from being an exercise without end. So the more specific you can be in answering this question, the better, and make sure the scope is broad enough to answer to first question.
Question 3: Who should be involved in the risk assessment? This question includes incorporating the right experts and personnel so that the results are credible, but also considering the mix of personalities so that once a consensus is built, the answers are easily disseminated and adopted.
While these 3 questions might seem overly simplistic, it's worth nothing that while I've often heard of risk assessments that quickly turn bad, I've never heard of a risk assessment that starts out bad and turns good.
Tag: risk assessment, security
Leave a comment