The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

The following are the common steps that should be taken to perform a security risk assessment. These are just basic common steps which should not be followed as is but modified based on organization assessment scope and business requirements.

• Identify the business needs of the assessment and align your requirements with business needs.
• Assess the existing security policies, standards, guidelines and procedures for adequacy and completeness.
• Review and analyze the existing assets threats and vulnerabilities
• Analyze the impacts and likelihood of threats and vulnerabilities on assets
• Assess physical controls to network and security infrastructure
• Assess the procedural configuration review of network and security infrastructure based on existing policies and procedures
• Review logical access and physical access and other authentication mechanism
• Review the level of security awareness based on current policies and procedures
• Review the security controls in service level agreement from vendors and contractors
• At the end of review develop a practical recommendations to address the identified gaps in security controls

To address the existing gaps in infrastructure we have to select the appropriate countermeasures to address the vulnerability or thwart a threat of attack. Four types of techniques are used by countermeasures:

Deterrent controls reduce the likelihood of an attack. Blocking phishing sites at ISP is an example of deterrent control
Preventive controls reduce exposure. Firewall is an example of preventive control
Corrective controls reduce the impact of successful attacks. Antivirus is an example of corrective control
Detective controls discover attacks and trigger preventive or corrective controls. IDSs and SIEM systems are example of detective control.