A Risk Analysis is often confused with Vulnerability Management and Penetration Testing. A risk analysis doesn’t require any scanning tools or applications – it’s a discipline that analyzes a specific vulnerability (such as a line item from a penetration test) and attempts to ascertain the risk – including financial, reputational, business continuity, regulatory and others – to the company if the vulnerability were to be exploited.
Many factors are considered when performing a risk analysis: asset, vulnerability, threat and impact to the company. An example of this would be an analyst trying to find the risk to the company of a server that is vulnerable to a specific bug.
The analyst would first look at the vulnerable server, where it is on the network infrastructure and the type of data it stores. A server sitting on an internal network without outside connectivity, storing no data but vulnerable to Heartbleed has a much different risk posture than a customer-facing web server that stores credit card data. A vulnerability scan does not make these distinctions. Next, the analyst examines threats that are likely to exploit the vulnerability, such as organized crime or insiders, and builds a profile of capabilities, motivations and objectives. Last, the impact to the company is ascertained – specifically, what bad thing would happen to the firm is someone acquired cardholder data?
A risk analysis will have a final risk rating with mitigating controls that can further reduce the risk. Business managers can then take the risk statement and mitigating controls and decide whether to implement them.
What This Means for Your Business
Locate Sensitive Data Across Networks and Workstations
Sensitive data left exposed on systems poses a great risk to your business. Often, companies amass large amounts of sensitive personally identifiable information (PII), including social security numbers, driver’s license numbers, credit card information, and more in dispersed persistent storage. SecurityRI.com Intelligence roots out sensitive data and potential vulnerabilities no matter where they are stored, providing actionable insights for sensitive data protection so you can mitigate the risk.
Reduce the Risk of Multiple Sources of Attacks
Beyond identifying at-risk data, SecurityRI.com Risk Intelligence points out the vulnerabilities that could lead to a data breach. Whether a customer’s biggest risks come from email or from malicious web downloads, SecurityRI.com Risk Intelligence will help you tighten your business security, where you need it most.