An information security Risk Assessment is a complex examination mechanism that encompasses all the aspects that come into direct or indirect contact with the organization’s information systems. Within the framework of the assessment, the organization’s information systems are mapped to an abstract level, at which it is easier to examine their different components and grade the level of risk derived from all the systems.
Numerous risks may affect the organization’s information assets, such as flawed allocation of authorizations to employees in various departments; information leakage among departments; lack of compartmentalization; deficient password management; uncoordinated information availability; recovery following a disaster; and erroneous firewall definitions.
The risks are determined in accordance with the level of importance of the organization’s assets; therefore the performance of the assessment is subject to the cooperation of its various departments. By mapping and assessing the risks, it is possible to arrive at an organized plan according to which penetration tests will be carried out on the systems, based on their importance to the organization.