Security Risk Assessments
ISSC361: IT Security: Information Assurance
Professor Jenelle Davis
Risk assessments are an extremely important part of any good and complete security plan. For budget reasons there may be certain aspects of a security plan that can be minimized, but it can never be a risk assessment. A risk assessment not only helps in protecting a business’s most important resource, its employees, it is also needed to be in compliance with certain state and federal laws. For example the law compels business owners with 5 or more employees to not only have a risk assessment done, there has to be a record of the assessment. Eliminating risks can be as simple and strait forward as marking wet floors or properly marking exit doors. Laws do not require a business to eliminate all risks, this is an impossible task. The law only requires reasonable steps be taken.
A risk assessment by definition is “the process of determining the likelihood that a specified negative event will occur” (investopedia.com). There are a number of different types of events that can occur. This means everything from a natural disaster to a software or hardware glitch in a company’s network. Even the smallest unwelcomed event can cause major problems and cost companies enormous amounts of money. Security and risk assessments are proactive and unfortunately too many individuals will only react after the damage is already done. It would be advantageous for business owners to act before it is too late.
A risk assessment is not meant to put unnecessary fear into anyone or persuade them to do something they don’t want to do. It is meant only to make them aware of what can happen if the proper steps are not taken to protect their investment. In addition a number of business owners think that having an assessment done is overly complicated and difficult. Because of this misunderstanding a risk assessment will normally be ignored,...