id: 112A,2
title: Risk assessments.
date: 2024-03-17

Risk assessments.

A methodical risk assessment practice starts with asset identification, reviews practicality of risks, and makes recommendations as an output. A process for this:

1. Create a census of data types, interfaces, and flows.
2. Classify the data risk categories by integrity, availability, and confidentiality as high, medium, and low.
3. List some threats to the data, classifying each as adversarial, accidental, structural, or environmental. Don’t pursue comprehensiveness.
4. Identify vulnerabilities that trigger the threat, classifying which data risk category the vulnerability harms. These are the Risks.
5. List an controls that presently mitigate each risk.
6. Rate the likelihood of each risk occurring. Rate impact, too.
7. List the risk rating from a matrix of impact versus likelihood, with low taking precedent, medium next, and only high + high = high.
8. Finally, list risks + ratings and produce a recommendation for each.