1, asset identification and assignment: identification of all assets within the scope of the assessment, and investigation of the size of the loss that may be caused by the destruction of assets, according to the size of the hazard and loss of assets for the relative value; assets include hardware, software, services, information and personnel.
2, threat identification and assignment: that is, analyze the frequency of occurrence of each threat faced by the asset, the threat includes environmental factors and human factors.
3, vulnerability identification and assignment: from the management and technical aspects of the discovery and identification of vulnerability, according to the threat of utilization of the damage caused to the assets for the assignment.
4. Risk Value Calculation: By analyzing the above test data, risk value calculation is carried out to identify and confirm the high risk, and rectification suggestions are made for the existing security risks.
5. The assessed unit can prevent and resolve information security risks according to the results of the risk assessment, or control the risks at an acceptable level, providing a scientific basis for maximizing network and information security.
Extended Information
The operational scope of risk assessment can be the entire organization, or a department in the organization, or independent information systems, specific system components and services.
Some of the factors that influence the progress of a risk assessment, including the timing, intensity, rollout, and depth of the assessment, should be tailored to the organization's environment and security requirements. Organizations should choose the appropriate risk assessment path for each situation. The three risk assessment approaches often used in practice include baseline, detailed and portfolio assessments.
The main tasks of risk assessment include: identifying the various risks faced by the assessment object; assessing the probability of risk and possible negative impact; determining the organization's ability to withstand the risk; determining the priority level of risk mitigation and control; and recommending risk mitigation measures.
Baidu Encyclopedia - Risk Assessment
Baidu Encyclopedia - Security Risk Assessment