5.2 Risk management
📘CompTIA Security+ (SY0-701)
Risk management is all about finding and understanding threats to an organization’s IT systems and deciding how to handle them. This process helps keep data safe, systems running, and operations protected.
Two main parts are Identification and Assessment.
1. Risk Identification
Risk Identification is the process of finding all the potential problems that could affect an organization’s information systems. In IT, this usually involves:
- Assets: Identifying all valuable items, like servers, laptops, databases, cloud storage, software applications, and user accounts.
- Threats: Determining what could harm these assets. Examples include malware, hackers, insider threats, hardware failure, or natural disasters affecting data centers.
- Vulnerabilities: Finding weaknesses that could be exploited, such as outdated software, weak passwords, misconfigured firewalls, or unpatched systems.
IT Example:
A company runs a cloud-based CRM system. Risk identification would look at potential threats to this system, such as phishing attacks, unauthorized access, software bugs, or accidental data deletion.
The output of this step is a risk register or risk inventory, which lists all risks and important information about them.
2. Risk Assessment
Once risks are identified, the next step is Risk Assessment. This is about analyzing and prioritizing risks based on how likely they are to happen and how severe their impact would be.
There are different approaches to performing risk assessments:
A. Ad Hoc Assessment
- Definition: Done only when a problem or concern arises; not planned.
- When used: For unexpected situations.
- IT Example: A sudden discovery of a zero-day vulnerability in company software triggers a quick security review and patch.
B. Recurring Assessment
- Definition: Performed regularly at set intervals (weekly, monthly, quarterly).
- Purpose: Ensures risks are constantly monitored over time.
- IT Example: Monthly vulnerability scans on servers to detect weaknesses or misconfigurations.
C. One-Time Assessment
- Definition: Conducted once, usually for a specific project or system launch.
- Purpose: Ensures a system is safe before going live.
- IT Example: Assessing the security of a new cloud application before giving employees access.
D. Continuous Assessment
- Definition: Ongoing, automated monitoring of risks in real-time.
- Purpose: Provides immediate detection of threats so they can be addressed quickly.
- IT Example: A Security Information and Event Management (SIEM) system continuously monitoring network traffic for suspicious behavior, or automated alerting for failed logins or malware detection.
3. How Assessment Works in IT Terms
During assessment, organizations often measure risks using:
- Likelihood (Probability): How likely is the risk to occur?
- Impact (Severity): What is the damage if it occurs?
Risk Score Example:
| Risk | Likelihood | Impact | Risk Level |
|---|---|---|---|
| Malware infection on employee laptops | High | Medium | High |
| Data center power outage | Low | High | Medium |
| Phishing email success | Medium | High | High |
This helps prioritize which risks to address first.
Key Points for the Exam
- Identification = Finding assets, threats, and vulnerabilities.
- Assessment = Analyzing likelihood and impact of risks.
- Types of risk assessments:
- Ad Hoc → done only when needed
- Recurring → happens regularly
- One-Time → for a single project or system
- Continuous → automated, real-time monitoring
- Tools often used in IT:
- Vulnerability scanners (e.g., Nessus, OpenVAS)
- SIEM systems (e.g., Splunk, QRadar)
- Automated reports and dashboards
By understanding how to identify and assess risks, IT teams can prioritize security actions and protect systems and data effectively.
