Risk Assessment is a process that helps organizations become more aware of what they have and what is most important to them. Ideally, it should involve the whole organization which works together to identify all information technology assets, to assign a priority rating to each, and to identify threats and vulnerabilities to these assets. In reality, a team is usually assembled comprised of IT managers and staffers, library administration personnel, and members of various other departments.
Risk is the possibility that someone or something will either intentionally or unintentionally exploit or attack a computer or system, resulting in damage to that asset. Risk can never be completely eliminated; it can only be mitigated and reduced to an acceptable level. That level will vary according to the importance of an asset to an organization. A Risk Assessment will help a library better understand their risks by weighing the likelihood that an asset will be attacked versus its value versus the cost of protecting it.
Determining Your Assets
An asset is something of value to your organization. In information technology terms, it can be:
- Information and intellectual property
- Computer hardware
- Computer software
Examples of information and intellectual property assets include: the original cataloging in a library's bibliographic database; locally created indexes and databases; locally created websites; staff email; library procedures and policies; staff documents; circulation data; and financial records. Computer hardware should include all servers, telecommunications equipment, desktop computers, printers, backup devices and cables. Software assets might include desktop operating systems such as Windows 2000 or Macintosh OS9; productivity applications such as office suites; server operating systems; and server software. Finally, human assets should never be overlooked. They might include administrators, IT staff, catalogers and indexers, reference staff, technical services staff and so on.
Once a list of the library's assets has been created they should be assigned a "threat rating," by evaluating them in terms of their importance to the library's mission.
- High — Your library would suffer major disruption and legal or financial loss if the asset is attacked. Without this critical asset, your library would be sufficiently damaged as to no longer be able to fulfill its mission.
- Medium — Your library would suffer minor disruption and legal or financial loss if the asset is attacked. Without this important asset, the library would still be able to fulfill its mission, but in a diminished capacity.
- Low — Your library would suffer no disruption, legal or financial loss if the asset is attacked. Your library would be able to completely fulfill its mission without this trivial asset.
Computer assets are constantly exposed to threats and vulnerabilities. A threat is a situation in which someone or something deliberately compromises confidentiality, integrity or availability. A vulnerability is a flaw in software code which might be exploited to perform attacks on the networks or computers which use that software. Listing the threats and vulnerabilities of a library's computers and networks is a vital part of a Risk Assessment. For more on threats and vulnerabilities, see Common Security Threats and Vulnerabilities.
Finally, it is important that once the Risk Assessment is complete it be put to use. Now that your organization has a clearer idea of what assets it is protecting, it should make decisions on how to protect them. The Risk Assessment merely answers the questions what and why. For help on performing a Risk Assessment, see "OCTAVE" Information Security Risk Evaluation, a checklist from CERT designed to help an organization assess its risk.