The objective of a threat and risk assessment is to provide recommendations that maximize the protection of confidentiality, integrity, and availability while still providing functionality and usability. In order to best determine the answers to these questions, a company or organization can perform a threat and risk assessment.
Range: It identifies what exactly needs to be protected, the sensitivity of the data that is being protected, as well as to what level and detail.
Data Collection: This part of our assessment involves collecting all policies and procedures currently in place and identifying those that are missing or undocumented.
Vulnerability Evaluation: The purpose of vulnerability analysis is to take what was identified in the gathering of information and test to determine the current exposure, whether your current safeguards and checkpoints are sufficient in terms of confidentiality, integrity or availability.
Threat Findings: Threats are described as anything that would contribute to the tampering, destruction or interruption of any service or item of value. Some examples of threats could include hacking, theft, floods, viruses, or fire. Threats that are identified must be looked at in relation to the type of business and what effect they will have on the organization.
Inventory of acceptable risks: One of the final tasks is to assess whether or not the existing policies, procedures and protection items in place are adequate. If there are no safeguards in place providing adequate protection, it can be assumed that there are vulnerabilities.
