The Value of Risk Assessment - A Case Study

Security risk assessment is an invaluable tool in a security professional's quest to protect a company's information assets. Information Technology projects that do not go through a security risk assessment process have a greater potential of exposing a company's information assets to corruption and loss. As a security professional of a large company that has recently standardized its security risk assessment process, it is my responsibility to uncover security vulnerabilities that exist in a project, suggest possible mitigation strategies for the vulnerabilities identified, and clearly articulate any vulnerabilities that are not mitigated to those with the authority to accept them. This paper will examine the application of the security risk assessment process to a rather complex project from the initial phases of its design prior to security risk assessment to its production state. It will discuss how risks were assessed and identified and show how the risk assessment process changed the final outcome of the project. We will also look at the impact that risk assessment had on the project and identify lessons learned. Security risk assessment is often a tricky business.