Information Technology Reference
In-Depth Information
there are no threats, it would not be necessary to take particular measures to treat risks. It
should be recognised that threats change over time and should be regularly monitored.
Threats take advantage of vulnerabilities in systems. Once threats have been identified, it is
also important to know what vulnerabilities exist in the systems. Where there are no threats,
it is possible that no action is required to fix vulnerabilities. It might not be worth the while
and cost to try to fix vulnerabilities where there are no known threats.
The last part of risk assessment is to assess possible impact on assets in the event threats ac-
tually hit the enterprise and disable or destroy assets. High impact would mean devastation
of company assets. Measures should be taken to ensure that operations are able to continue
after impact either in a limited way or full service. Figure 6.2 shows the impact matrix and
possible action to be taken by management.
#
Risk
Impact
Expected Action
1
High
Vs
Low
Minimum Action
2
High
Vs
Moderate
Action Required
3
High
Vs
High
Action Required
4
Low
Vs
Low
No Action
5
Low
Vs
Moderate
Action Required
6
Low
Vs
High
Action Required
7
Vs
Low
Moderate
No Action
8
Vs
Moderate
Moderate
Action Required
9
Vs
High
Moderate
Action Required
Figure 6.2 Impact Matrix
1.
High risk vs low impact
- Although the likelihood of the event happening
is high, the impact on the enterprise is low. The enterprise might opt to ac-
cept the risk or take minimum or low-cost mitigation measures. An example
would be backup data stored in a secure place. Whilst the risk is high that
the data can be lost, the impact might be low because copies of the backups
are kept in other sites.
2.
High risk vs moderate impact
- High risk combined with moderate impact
requires action to be taken as the possibility of the event is there. A moderate
Search WWH ::
Custom Search