This section addresses the first step in the process component of the Information Security Framework - Assess the risks. It deals with the following areas:
- Preparing for the assessment
- Conducting an inventory
- Classifying information
- Assessing and quantifying the risk to the business using the Simple Risk Model
One important point to note, the risk assessment process for information security is not unique. It is similar to the risk assessment process used in business continuity and disaster recovery planning (often called a Business Impact Assessment or BIA), a SOX 404 assessment of the processes and technology used to ensure the integrity of financial data, an assessment of the operational risks as part of Basel II, or the process a building security unit would use to prevent a terrorist attack. It is all part of operational risk or the "[T]he risk of loss resulting from inadequate or failed internal processes, people and systems or from external events [i.e., fires, storms, earthquakes, etc.]" The algorithms for calculating operational risk work for all of the individual disciplines (such as information security).
As a result, the approach on this site is to utilize risk assessment principles that can be applied across all the areas of the operational risk spectrum and allow the information security officer to leverage the resources in the other disciplines.