Information Security Risk Assessment Practices Of Leading Organisations

Information Security Risk Assessment Practices Of Leading Organisations.


what are the best approaches for implementing information assurance principles? Where do you see the most areas for improvement to current protocols and policies?



The risks towards the information systems have been existing since a long time either from malicious actions or from unintentional errors caused by users or from manmade causes or natural disasters. In the present times the organisations have turn into further liable to these kinds of hazards as the computers are further connected and therefore it has increased the interdependency and accessibility among a large number of users. Another factor which affects information security is the increase and spread of computer knowledge which has been tremendous and the number of people using computers has also grown their interests in the field of hacking which can be easily learnt via the internet. One of the main reasons for the need of information security is that because of the automation of most of the systems but lack of development in the security program management (Robert Huggett, Aleksey Poryadin, Peter Robertson, 1998).

In this report we are going to study the effects of risk assessment in a multinational oil company which has been managing its operations in over 30 countries with unpredictable levels of risks. The safety and security apprehensions are the main criteria in an automated oil company for the smooth conduction of business and therefore the risk assessment technique is the ideal process. The company engaged a comparatively rationalised, mostly qualitative procedure to evaluate IS hazard. A H.Q parallel risk management director, accountable for security threat valuations, remained the principal fact for the threat valuation program. The policy followed defined steps for scrutinising hypothetically harmful situations and concerned amount to of consistent devices, as well as software advanced intramural, to assemble and scrutinise data and produce statements.

Initiation of the Risk Assesment:

The assessment of the risks is processed according to the company policies before any important change in the facility or the processes after any instances of security breach has occurred or whenever any form of risk has been identified. The company guidelines has specified that the administrator of a project or sector of processes has to inform their regional security co-ordinator of the urgency of the security assessment. This notification is then again passed on to the central security co-ordinator. The main person responsible for the initiation of the task of risk assessment is the business manager but the central co coordinator too has the duty for routine reviews of the core financial plan and the venture papers in order to identify operational sections that might need a hazard evaluation (Jack L. Brock, 1999).

Conveyance And Documentation Of The Assessment

The risk assessment process is divided in three distinctive stages i.e. design and homework, risk valuation undertakings and report enhancement.

Preparation and planning

As a risk assessment notification is implemented the central co-ordinator with the senior executives in the organisation will develop a risk assessment implementation strategy. The plan has to be composed of the assessment of aims and the processes, size and composition of the teams and the information required for the conduction of the assessment. When the final plan is decided it has to be endorsed by the business unit. The risk assessment team constitutes of individuals from multiple disciplines and usually contains from 5 to 8 individuals. Sometimes the team also constitutes of outside individuals like consultants. The senior managers select the team with the approval of the central co-ordinator. The risk assessment leader should never be selected from the unit which is going to be assessed. Actually no specialist should be selected from the business unit which is in question and they can be only interviewed to gain vital information on the security issues. They are of vital importance for the risk assessment, therefore developing their interview questions is a vital part of the planning and requires close co-ordination among the corporate unit manager and the chief controllers. All the individuals including the high-ranking executives to the safety experts and even the servicers are converse with (Executive Order 12958, 2000).

For the guaranteeing that all forms of possible threats are considered in the assessment, the corporation has recognised a distinct business unit that fosters and supports the risk statistics for use by the whole corporation, including the risk valuation teams. This team is offered the duty of collecting the data from the internal and the external sources and hence create a point of departure risk report that classifies the probable coercions from the external agents or the insiders, as well as threats induced by the systems. Before the convening of the assessment activity the central coordinator provides each of  the team members a package of the information which contains a copy of the agreeable execution plan , schedule of assessment, previous risk assessment report of the business unit if any, threat data, risk assessment methodology and the interview questions. These tools helps to reduce the amount of tools required for the training of the assessment team (Te Tari Taiwhenua, 2014).

Assessment activity

The main emphasis of this stage is gathering and examining the data on the threats and the possible susceptibilities and the use of optional actions in order to reduce the vindication risks. The first step is to conduct interviews with the knowledgeable individuals of the business units. The interview answers help to cultivate circumstances of probable undesired and destructive events. As of this case an employee was struggling financially and therefore was forced to sell highly confidential information of the company to sell to the outsiders. Once the scenarios are created the job of the team is to rank the severity of the scenario, highest being the loss of life and lowest is the minor system or environmental damage categorised into four parts. The above scenario was a level 2 stating damage of exclusive information or foremost system or environmental mutilation (Risk Assessment Special Interest Group (SIG), 2012).

Development of report

After the team develops corrective actions, it prepares a report in form of an exit brief. This report will indicate the risk scenarios that need immediate attention and the one which can be implemented in the future. These recommendations are also monitored by the central co-ordinator until they have been fully implemented and thus the work of the risk assessment and mitigation is concluded for the business unit (Ming-Chang Lee, 2014).


Executive Order 12958. (2000, august 23). Retrieved from Classified National Security Information:

Jack L. Brock. (1999). Information Security risk assessment practices of leading organisations. A Supplement to GAO’s May 1998, 45.

Ming-Chang Lee. (2014). International Journal of Computer Science & Information Technology. Information Security Risk Analysis Methods and, 29-45.

Risk Assessment Special Interest Group (SIG). (2012). security standard council. PCI DSS Risk Assessment, 23.

Robert Huggett, Aleksey Poryadin, Peter Robertson. (1998). Environmental Risk Assessments of Oil and Gas Activities. A Report of the Oil and Gas Risk Assessment Subgroup of the Gore, 131.

Te Tari Taiwhenua. (2014). risk assessment process. infrormation security, 22.

Information Security Risk Assessment Practices Of Leading Organisations

Leave a Reply