Now that we have developed our lists of threats and vulnerabilities, and developed our rules on how we measure likelihood and impact, we are able to analyze risk. We will use the following risk assessment matrix utilizing the likelihood and impact rules developed previously:
We will take the threat and vulnerability pairs table that we developed previously and include the likelihood, impact, and risk ratings from the preceding table:
Now that we have completed the risk assessment table, you can clearly see that priorities have bubbled up to the surface and that we have a clear priority to work from, regarding addressing risk:
- High risk: Development and rest servers have been placed on the internet and forgotten
- Medium risk:
- No mechanism for privileged access management exists
- Single provider for internet access is utilized
- Storage mechanisms utilized are not redundant
- Low risk:
- No mechanism exists to monitor user behavior on the information system
- Wet pipe sprinkler in data center