I have decided to focus on the subject matter of risk assessment with a particular focus on information security. Risk assessment basically describes the information security risk present or potential and enables organizations to prioritize risks according to their seriousness. It determines the value of an information assets, identifies the applicable threats and vulnerabilities that exist or could exist, identifies the existing controls and their effect on the risks identified, determines the potential consequences and finally prioritizes them.

This is necessary in identifying organizational needs regarding information security requirements and to create an effective countermeasures. Every organization is different and therefore, it is important that countermeasures should be aligned with organization’s environment and specifically its enterprise risk management (Rausand, 2013). The security effort should address risks in an effective and timely manner where and when they are needed. Therefore, risk assessment is the first process in any information security risk management program helps identify the relevant risks and the appropriate controls for reducing or eliminating these identified risks.

Vulnerabilities and new threats to IT security come up all the time and companies need to proactively find vulnerabilities and be aware of new threats if they want to keep up with evolving risks. Time-sensitive risks may need immediate action and paper-based IT risk assessments will not be enough to handle threats in a timely manner.

References

Rausand, M. (2013). Risk Assessment Process. Risk Assessment, 197-211. doi:10.1002/9781118281116.ch8