When performing a risk assessment, it's important to be familiar with the following terminologies.
This is the financial cost of loss if a one-time or single event occur within the organization.
An example of a SLE may be a company's asset such as smartphone worth (Asset Value = $500)
This is the likelihood that an event will occur.
Such as in some countries, there are a lot of rain fall during certain times of the year. Organizations with buildings in flood prone areas need to consider how often flooding will occur each year.
The Annual Loss Expectancy is the ARO x SLE.
An example is the loss of 4 company-owned smartphones (ARO) x $500 (SLE) = $2000
The Risk Register is the risk associate with each step during a project within an organization.
The Risk Register also helps us to determine any solutions for each identified risk at each step during the project and helps us to monitor if the solution fixes the issue or not.
Supply chain assessment helps us to evaluate the process used to get a product or service from a service provider.
It is used to identify any areas during the process which require improvements.
The supply chain assessment also assesses any IT related systems which used to support the process and operations.
In a Quantitative Risk Assessment, a financial or monetary value is mapped to each specific risk.
In Qualitative Risk Assessment the aim is assign solid values to each risk factor within the organization.
It's important that a security professional perform testing on the company's assets such as servers and network devices.
Since servers usually store important data such as financial records, personal details about users and so on.
Keep in mind while running vulnerability tools to identify any security weaknesses, these tools may be intrusive and aggressive.
A security professional may perform a penetration test on the company's network, a pentest is also intrusive and aggressive. It's important the security professional obtains legal permission prior to the testing phase.
Accept - The organization understands the risk involved in their processes or procedures and accepts it.
Transfer - In transference, the risk is transferred to a 3rd party to handle and manage the risk on behalf of the organization.
Avoid - Avoidance simply ensures the organization stops all activities that are creating the risk.
Mitigate - Mitigating risk is where the organization implements systems in place to prevent the risk from occurring.