Risk Management Risk Analysis Paper

1412 Words6 Pages

The IT infrastructure of a communications company is very challenging; it has to support multiple services for internal and external customers. For internal users such as employees it provides email, printing, and file and data storage. External users, the customers of the communications company have a web interface that also provides email and data storage; however, this is different segment of the IT infrastructure. Additionally, customers have access to account information and have the ability to pay their communications bill.
Scope, Goals and Objectives
The scope of the audit will include five core resources; these are the data, applications, technology, facilities and personnel. The goal of the audit is to evaluate and assess the five …show more content…

To effectively manage risk there are four critical steps to the process; the first step is assessing the IT security and determining the risk and then performing risk management. The next is threat analysis which evaluates the actual threats to the IT environment. The next is vulnerability analysis; this step focuses on identifying the vulnerabilities that exist in the environment. The last major step is risk assessment analysis; this is the process in which the entire process is used to determine the overall risk of the environment.
Several methods and process can be used to perform risk management, the methodology that will be used for the communications company is the NIST 800-30. This process focuses on a nine-step process, this process begins with identifying the systems in the environment; this is known as System characterization. The next step is the identification of potential weaknesses within the environment better known as Threat identification. The third step is Vulnerability identification, this is the process in which the vulnerabilities or weakness that can be exploited are identified and …show more content…

This process first requires that all potential threats are identified. From there they are broken down into categories; Adversarial, Accidental, Structural and Environmental. After they are categorized they should be classified; generally this is done using a status of low, medium or high. This step focuses on the threat along with the likelihood of the threat occurring. This helps assessing risk by determining how likely a threat may occur thus increasing or decreasing the risk to the IT