Risk Assessment Methodology
- Identify the information assets that need protecting
- Describe the architecture of the information system to be deployed
- Identify and rank the threats to those information assets based on the architecture
- Identify the most serious threats and develop solutions to mitigate the threats as much as possible. Typically,
- Insecure user computing environment (viruses, unattended desktops)
- Server operating system security; inadequate system administration
- Poor physical server environment
- Network encryption of passwords and data
- Make specific recommendations of solutions for deployment
- Policy
- Stronger access control
- Encryption
- Secure server
- Secure network
See full paper (/noam/cip/akc-secu.pdf)