Good Essay On Risk Consultant

APUS

ISSC363
It is important to eliminate risks in an organization to the extent that it does not severely affect the entirety or essential components of functioning of the organization. Changes in the landscape of information have resulted in more novel non-traditional risks to both the individuals as well as organizations. Such risks have already found their place in the warfare arena, in which nations are struggling to locate from a kinetic to an amorphous cyber landscape. All such changes are increasing the importance of privacy and security. Intelligibly, there has been a proportionate increase in the necessity for requirements in order to identify the risks in the information systems. It is evident from the numerous laws and regulations that have been incorporated in the recent times. The laws place a certain level of security and privacy controls over sensitive data. Hence, information security risk assessment refers to the process of identifying risks.
Risk assessment is a systematic, procedural approach for evaluating risk. It is the process of estimating the probability of the occurrence of risk and the consequence of such risk. It is a fundamental constituent of an effective and efficient risk management program. A risk management program is a principal management tool that consists of risk assessment and risk control. Risk assessment refers to the component that gathers data, while risk control refers to the application of the evaluation of risk assessment (Wilhelmsen C and Ostrom T, 2012). Knowing the exposure of an organization to the possible dangers is an essential step that requires completion prior to attempting to prioritize or implement the safeguards and controls to protect the organization.
Possessing knowledge about risk assessment ensures that controls, and ultimately the expenditures required in implementing and supporting the controls are proportionate to the risk exposed to, by the assets of the organization. Thus, if the assessment shows that there is a greater risk to one asset; it demands for greater protection and application of resources to the specific asset versus an asset that has the possibility of lower risk. It not only allows the organization to provide an appropriate level of security, but also helps in determining the acceptable level of risk willing to undertake by the organization depending upon the expenditure or effort involved in the application of the safeguard or control. As an information security professional, it is crucial to understand the criticality of performing an information security risk assessment. Obviously, it makes a good sense to perform an assessment, but ultimately, it is one of the most effective tools for justifying the necessary activities of management.
Furthermore, it helps to answer other people in the organization who might question the necessity for security requirements or expenditures. Depending on the applied framework and implemented approach, there is a substantial need for the involvement of manpower and resources in performing an effective and efficient information security risk assessment. Thus, at one time or the other, the risk consultant would need to explain the necessity for performing a risk assessment activity and ultimately, the budget required to complete the risk assessment depending upon the person questioning about the need to perform the risk assessment (Mark R, Talabis and Jason L, 2013).

The critical areas to assess as well as identify the possibility of risks are as follows:

Threats: Identifying possible information that leads to security threats. Such threats are sources, events, actions or inactions potentially leading to harmful consequences of the information security assets of the organizations .
Vulnerabilities: Identifying vulnerabilities that have a possibility of exploitation by the threats identified by the risk consultant. The existence of vulnerability is a major contributing factor that assists in calculating the probability of occurrence of risk. If an asset has a vulnerability that can be exploited by a threat, then the risk to such asset is much higher when compared to an asset that does not have the same vulnerability .
Assets: Risk assessment comprehends all the critical assets of the organization, which have a direct impact on the confidentiality, integrity and availability of the information resources belonging to the organization .
Impact: Impact is a typically harmful outcome of a threat applied to an asset. It is one of the primary components for computing a risk rating in an organization .
Likelihood: Likelihood is the probability that a threat would exploit a vulnerability to affect an asset. Together with impact and control maturity, likelihood is a primary component that helps in determining a risk rating for an asset .
Having a thorough understanding of risk gives the ability to react quickly and focus the efforts on protecting the essential peace of an organization. Hence, normal operations might still continue while assessing, identifying, quarantining or controlling the problem that has already occurred within the organization. It is not possible to eliminate the risk completely; however, effective measures set in place to react to the risks help to protect an organization from the risks.

References

Ostrom, L. T., & Wilhelmsen, C. A. (2012). Risk Assessment: Tools, Techniques, and Their Applications. Somerset, NJ: John Wiley & Sons.
Talabis, M., & Martin, ‎. (2013). Information Security Risk Assessment Toolkit: Practical Assessments Through Data Collection and Data Analysis. Syngress Publishing.