Risk Assessment#

Performing a risk assessment is crucial for applying security by design. Without a risk assessment you waste time, effort and resources. There is no point implementing security measures to defend against events if you do not know if they are relevant for your situation.

You must understand the value, importance, and sensitivity of your information that is involved in your new product. Vulnerability assessment is a key factor in security.

Following a risk management approach will help you identify other scenarios that could occur in your organisation.

Not all information should be treated equally. Some information is more valuable or sensitive, requiring a greater level of protection.

A typical risk assessment consists of collecting a lot of information. Information that is typically needed for a good risk assessment is:

  • Security requirements and objectives.

  • System or network architecture and infrastructure, such as a network diagram showing how assets are configured and interconnected.

  • Information available to the public or accessible from the organization’s web site Physical assets, such as hardware, including those in the data centre, network, and communication components and peripherals (e.g., desktop, laptop, PDAs)

  • Operating systems, such as PC and server operating systems, and network management systems

  • Data repositories, such as database management systems and files

  • A listing of all applications

  • Network details, such as supported protocols and network services offered

  • Security systems in use, such as access control mechanisms, change control, antivirus, spam control and network monitoring

  • Security components deployed, such as firewalls and intrusion detection systems

  • Processes, such as a business process, computer operation process, network operation process and application operation process

  • Identification and authentication mechanisms

  • Government laws and regulations pertaining to minimum security control requirements

  • Documented or informal policies, procedures and guidelines

Doing a risk assessment (RA) is time consuming and often expensive. But you must do it. At least once. Since the only certainty is continuous change: It is very important to repeat your risk assessment on regular intervals. This is a must do from your security management plan. And the only way to stay in control.


Document your result in a simple way for reuse! Use a simple tool to harvest the result of your risk assessment. In this way you can easily reuse your effort for the next time. Use e.g. a simple sheet to save and compare your results over time.

Try to automate and reuse collected information from previous assessments easier and generate information where and whenever possible.