Security consultant

Network Risk Assessment Describe the purpose of a risk assessment, risk scope and identify critical areas for an assessment.
With the advent of computer networks and robust IT resources, the prevalence of malicious network activities such as hacking presents significant risks to the operational integrity of a company. A secured company network is that which has instituted a set of procedures to safeguard the fundamental networking infrastructure from misuse, disclosure of critical information, or simply access by unauthorized persons. Risk assessment is a proactive network security measure that serves to identify risks, threats, and vulnerabilities that could endanger the integrity of company’s operations. Secondly, this assessment forms the basis upon which these risks, threats, and vulnerabilities are prioritized in accordance with criticality. Remediation of the identified risks and vulnerabilities can then be effectively budgeted. Also, it is from this risk assessment that compliancy with new IT security laws and regulations can be achieved to avoid legal issues. Essentially, a properly conducted risk assessment offers a basis through which the company may roll out a set of procedures aimed at protecting company’s assets, which for this case include hardware, software, and critical information.
The scope describes what is covered and what is not covered in the assessment by identification of the needs to be protected, sensitivity of the information protected, and the extent of the protection. Defining the scope of network security assessment is important as it forms the basis of understanding the budget and level of security defined by the policies of the company. Understandably, the scope is a factor of criticality of information that a company has or seeks to protect from damage, manipulation, or malicious disclosure to the public. Areas covered include type of operating systems in used in the computers, access control permissions, port scanning, wireless leakage, firewall testing, intrusion detection testing, and service pack levels. A thorough assessment of these areas identifies the loopholes through which company’s critical information may be compromised. The aim is to proactively protect these areas from malicious attacks or access.
Select risk assessment methodology and give your rationale behind the one you chose.
OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a commonly used methodology for strategic assessment and planning of network security risks. The OCTAVE methodology is a technique used to analyze a company’s information security requirements. OCTAVE Allegro is the latest development and is widely used by the CERT Division. While older versions, which are OCTAVE and OCTAVE-S, are in operation, OCTAVE Allegro is the most preferred for the following reasons:
First, OCTAVE Allegro is a self-directed approach in the sense that it allows small teams of a company’s human resource across business units and IT to collaborate in addressing the security needs of the company. Generally, a successful business risk assessment methodology should allow for maximum collaboration. Secondly, the approach is flexible as it can be tailored to the company’s specific risk environment, security and resiliency goals, and skill level. Lastly, the evolved nature of OCTAVE transforms a company to an operational risk-based perception of security and addresses technology in business setup. OCTAVE can be modified easily and, in conjunction with the aforementioned benefits, can be employed as the fundamental risk-assessment component or rather process for the rest of the other approaches.
Reference
Violino, B. (2010). IT risks assessment frameworks: real-world experience. Retrieved from: http://www.csoonline.com/article/2125140/metrics-budgets/it-risk-assessment-frameworks–real-world-experience.html