Security Risk Assessment

Security Risk Assessment- Security is an important part of the design of a solution, and it involves more than just setting up passwords.

The solution must first be evaluated to determine the people that will need access and the types of things that they should be allowed to do.

For the most part, the security design must ensure that those people can have access to perform those functions. However, other people must be prohibited from accessing the solution and other functions must be prohibited.


The purpose of performing the risk assessment during the Analysis Phase is to get the client engaged and active in determining the requirements for security and how security will be implemented.

There are many factors involved with creating a secure solution and a secure environment. Many of them are outside of the direct control of the project team. In many cases the project team and the client must work together with other organizations in the company to ensure that the solution and the total environment are secure.


Creating a security risk assessment includes identifying the data associated with your solution, the security level of the data, the possible threats and the vulnerabilities your design should try to address.

In addition, your risk assessment should consider the likelihood of the security event occurring and the consequences of each event. This is necessary to ensure that the cost of implementing security measures is appropriate based on the potential vulnerabilities.

  • Access requirements. First describe the legitimate uses of the solution and the people (roles) that will need access to perform those functions. These are general statements and
    not detailed requirements.

    In general, this risk assessment will determine the difficulties in limiting access to these people and functions.
  • Data security designation. The first part of the security risk assessment is understanding the security requirements of the underlying data. Highly confidential data, like sales and payroll data, obviously needs to be protected more than data that is for everyone, such as the company open job positions.
  • Threats. Threats to information systems can come in a variety of ways. Normal human error can result in security breaches.

    This may be the case, for instance, when someone opens a mail file containing a virus. There may also be threats from fraud and theft from insiders.

    One of the most damaging threats to systems is malicious hackers and malicious code sent to a system. Malicious code includes items such as viruses, worms, Trojan horses, etc. These threats are real, likely to occur, and bring about a great deal of cost in repairs.

    You should work with your client to identify the potential threats against your data. If your data is open to begin with, there is little threat associated with unauthorized use. However, data that is more confidential will have more potential vulnerabilities.
  • Vulnerabilities. Vulnerabilities are unintentional security lapses. For instance, your solution may enforce userid/password security, but it may be vulnerable to hackers if these passwords are easy to figure out, like the current date or a person's first name.

    Another vulnerability may arise because of a program logic error. You may need to put measures in place to guard against vulnerabilities.
  • Likelihood and risks. There are two areas that should be addressed for each threat and vulnerability to your system - the likelihood of the threat or vulnerability occurring, and the consequences of the breach.

    If a threat or vulnerability is likely and the consequences are significant, the solution should have extra security and controls in place to protect the underlying data. If the threat is remote, or the consequences of a breach are relatively minor, you would want to design less costly controls or perhaps none at all.
  • Controls / safeguards. Now that you have a general understanding of threats and vulnerabilities and the likelihood of these security incidents, you can determine the controls and safeguards necessary to respond to that risk.

    Responses could include implementing firewalls, installing software to detect hackers, suspending a userid after three wrong password attempts, providing increased training, etc.

Security testing


Libro El Director de Proyectos Práctico -

Un Método probado de 28 Pasos para completar tu Proyecto Exitosamente

EL DIRECTOR DE PROYECTOS PRACTICO -

Por fin ─ un libro sencillo con un método paso a paso para completar tu proyecto.

¡Y sin tener conocimiento previo sobre administración de proyectos!

Toda la "paja" de la metodología de dirección de proyectos fue eliminada, dejando solo lo que es absolutamente útil para completar la tarea.

El Director de Proyectos Práctico, Project Management for Small Projects. 

Un libro pensado en el líder de proyectos empírico que salió ganador de la rifa del tigre. Pues ya tiene la responsabilidad de un proyecto, pero que no sabe ni por donde empezar. Necesita una receta ABC para seguir.

Contiene 260 páginas perfectamente detalladas con ejemplos e ilustraciones, que te llevan de la mano hasta completar tu proyecto.

Pruébalo, síguelo, ten éxito. O sigue haciendo lo mismo... :(

Disponible en Amazon

Compra aquí El Director de Proyectos Práctico en su versión electrónica─

Entrega inmediata.

BONO ADICIONAL:  El libro incluye todos los templates─plantillas─que necesitas, listos para ser usadas. No necesitas comprar nada mas.


COPYRIGHT © 2007-2012 por Hector Olvera Padilla 1853071. Reproduction in whole or in part, or translation without written permission is prohibited. "PMP®", "PMBOK®", and "PMI®" are registered marks of the Project Management Institute, Inc.