Organizations that handle or manage information assets that present significant risk and/or are subject to regulatory requirements (e.g., PCI, NERC, HIPAA, SOX) can benefit by implementing a Risk Management Program and conducting formal risk assessments. A risk assessment is a process intended to formally determine what information resources exist that require protection, and to understand and document potential risks from IT related threats that may cause unacceptable (negative) business impact in terms of the loss of information confidentiality, integrity, or availability. The purpose of a risk assessment is to help management create appropriate strategies and controls for stewardship of information assets.
Risk Assessments have grown in importance over the last few years as most major frameworks (e.g., COBIT, 27001, OWASP) and many laws/regulations (e.g., HIPAA, PCI-DSS, etc.) mandate Risk Assessment. There are a wide variety of Risk Assessment methodologies that are commonly used including OCTAVE, OCTAVE-S, NIST, NZ-AST4360, and ISO-27005). OCTAVE is the most comprehensive but can be challenging. NZ-AST and 27005 are highly similar and are generally the easiest to leverage, especially if you use 27005's approach of defining information and procedures as the Assets and the systems, facilities, and networks as sub-assets. While quantitative Risk Assessments' are alluring - the challenges to establishing probabilities and calculating impact costs across multiple criteria drive us to favor qualitative risk assessment.
Critical to good Risk Assessment practice is tightly defining the scope and context of the Risk Assessment. We favor defining the scope formally in a Security Data Flow Diagram (SDFD) and then conducting the Risk Assessment against the SDFD leveraging a process/info based risk approach at each point in the SDFD. This approach shortens the time to conduct the risk assessment by focusing the risk assessment sessions and results in a significantly decreases possibility of key risk being missed.