Risk Assessment Methodology

• Identify the information assets that need protecting

• Describe the architecture of the information system to be deployed

• Identify and rank the threats to those information assets based on the architecture
  • Desktop
  • Server
  • Network

• Identify the most serious threats and develop solutions to mitigate the threats as much as possible. Typically,
  • Insecure user computing environment (viruses, unattended desktops)
  • Server operating system security; inadequate system administration
  • Poor physical server environment
  • Network encryption of passwords and data

• Make specific recommendations of solutions for deployment
  • Policy
  • Stronger access control
  • Encryption
  • Secure server
  • Secure network

See full paper (/noam/cip/akc-secu.pdf)