An information security Risk Assessment is a complex examination mechanism that encompasses all the aspects that come into direct or indirect contact with the organisation’s information systems. Within the framework of the assessment, the organisation’s information systems are mapped to an abstract level, at which it is easier to examine their different components and grade the level of risk derived from all the systems.
Numerous risks may affect the organisation’s information assets, such as flawed allocation of authorisations to employees in various departments; information leakage among departments; lack of compartmentalisation; deficient password management; uncoordinated information availability; recovery following a disaster; and erroneous firewall definitions.
The risks are determined in accordance with the level of importance of the organisation’s assets; therefore the performance of the assessment is subject to the cooperation of its various departments. By mapping and assessing the risks, it is possible to arrive at an organised plan according to which penetration tests will be carried out on the systems, based on their importance to the organisation.