What is a Security Risk Assessment and How to Conduct one?

Photo by Scott Webb on Unsplash
  1. Phases
  2. Objectives
  3. Assumptions
  4. Mitigations and Solutions
  5. References


Security Assessment Phases | Ahmed Mansoor


  1. Analyze the existence and effectiveness of current controls
  2. Conduct a vulnerability assessment to identify weaknesses that might be exploited by an attacker or a hacker
  3. Determine if the security controls and access to data and office premises are securely maintained
  4. Determine the unfavourable impact (or consequences) resulting from the successful exploitation of a vulnerability by a threat
  5. Ensure that proper guidelines are being composed by staff and students with regard to the security aspects
  6. Identify the nature of the vulnerabilities and areas where special attention is required to avoid threats
  7. Define and identify the threats that have the risk of causing harm to the business facility and its inhabitants
  8. Provide controls that could mitigate or eliminate the identified risks, as appropriate to your company’s operations
  9. Provide a mechanism or procedure for improved oversight of information security programs
  10. Produce security controls within enterprise architecture and systems


Photo by Azamat E on Unsplash

Vulnerabilities are exploitable weaknesses in the physical structure and design of the business facility, and implementation, operations and guidelines concerning the protection of assets and data.

  1. Unauthorised modification and removal of data or other sensitive contents
  2. Unauthorised disclosure of data
  3. Unauthorised access to data for uncertified users
  4. Denial of service to authorised users
  5. Financial, legal and reputational damages

# Damage

# Destruction

# Disclosure

# Denial of Service

# Modification


Photo by Evgeni Tcherkasski on Unsplash

4.1 Web Application Assessment

# SQL Injection

  1. Attackers may find the credentials of system users, including administrators, and use them to impersonate respective users and access their database privileges
  2. It may be used to drop tables (delete records) from the database. This will probably result in service unavailability for some time, even if the database was backed up
  3. It might let the attacker alter or steal personal student data in the database.

# Cross-site Scripting

4.2 Phishing Assessment

4.3 Wireless Assessment

# Penetration testing

  1. Wireshark — was used to profile network traffic and for analyzing network packets. It can capture traffic from all the different network media types used, including Wireless LAN, Bluetooth and USB.
  2. Nmap (network mapper) — it scanned the systems and networks for vulnerabilities connected to open ports; Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). It directs the IP addresses linked to the systems to be scanned and tested for open ports.

4.4 Database Assessment

4.5 Physical Security Assessment

# Utility

# Fire detection


Photo by Franck on Unsplash

5.1 Physical Access Controls

# Intrusion Detection

# Closed-Circuit Television (CCTV)

# Identification Methods

5.2 User Controls

5.3 Processing Controls

# Input checks or dual input

  1. Missing or incomplete data
  2. Inconsistent data collection and control
  3. Known scripting or injection-based attacks
  4. Invalid characters in the data fields
  5. Validation checks

# Validation checks

  1. The use of appropriate programs to recover or prevent failures
  2. The security against buffer overrun attacks
  3. The procedure is implemented to prevent programs from running in an incorrect order

5.4 Access Controls

  1. Access to sensitive files should be controlled and conducted securely
  2. Only approved or administrative users may install operational and production software or applications
  3. The software should be authorized by a staff whose officially approved duties allow them to do so
  4. The software should be maintained at a level recommended by the supplier
  5. Physical and logical access should be given to authorized users with proper management approval, and their activities should be logged and monitored with appropriate controls in place
  6. While conducting tests or upgrading any operational or production system, test data that represent operational data should be used instead of actual operational and production data or any other sensitive information.
  7. Programs and website source code should be protected against authorized access or modification

5.5 Support Process

# Change controls

  1. Version control should be implemented and enforced, as it can be used in case of unauthorized functionality or unintentional software changes
  2. All changes to the website’s source code, upgrade or uninstallation of system hardware or software shall be coordinated and approved by a staff whose poses the authority
  3. A risk assessment should be included in the change control process, to analyze the impact of specification changes and security controls required. It should also ensure that the existing security control procedures are in appropriate condition and that the assigned employee or vendor is given sufficient and approved access to make the required changes
  4. Whenever required, adequate performance testing should be conditioned, using appropriate test data and test facilities

# Software development

  1. Software developments and outsourced sourced software (including student and Human resource management systems), should be supervised and monitored by the ICT department.
  2. Software licensing arrangements, intellectual property rights and code ownership should be maintained appropriately
  3. Outsourced software testing b installation to detect viruses and malicious Trojan code

5.6 Technology Vulnerability Control

  1. Identify the associated parties and risks
  2. Coordinate actions to mitigate and resolve the issue
  3. Impacted areas and boundaries of work
  4. If a patch is available, compare and formulate the risk associated with the vulnerability and that of installation of the patch to ensure the integrity and effectiveness of the patch
  5. In a case where no appropriate patch is available, at the minimum these controls should be considered:

5.7 Legal Compliance and Requirements




Apparently, I like to write — linktr.ee/ahmedmansoor

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store