Page 165 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 165
so on)
Equipment failure
Physical theft
Social engineering
In most cases, a team rather than a single individual should perform
risk assessment and analysis. Also, the team members should be from
various departments within the organization. It is not usually a
requirement that all team members be security professionals or even
network/system administrators. The diversity of the team based on
the demographics of the organization will help to exhaustively identify
and address all possible threats and risks.
The Consultant Cavalry
Risk assessment is a highly involved, detailed, complex, and
lengthy process. Often risk analysis cannot be properly handled by
existing employees because of the size, scope, or liability of the
risk; thus, many organizations bring in risk management
consultants to perform this work. This provides a high level of
expertise, does not bog down employees, and can be a more
reliable measurement of real-world risk. But even risk
management consultants do not perform risk assessment and
analysis on paper only; they typically employ complex and
expensive risk assessment software. This software streamlines the
overall task, provides more reliable results, and produces
standardized reports that are acceptable to insurance companies,
boards of directors, and so on.
Risk Assessment/Analysis
Risk management/analysis is primarily an exercise for upper
management. It is their responsibility to initiate and support risk
analysis and assessment by defining the scope and purpose of the
endeavor. The actual processes of performing risk analysis are often
delegated to security professionals or an evaluation team. However, all
