A risk assessment is a process to detect potential threats, prioritize then analyze what could happen if that occurs. This is a continuous process; doing this only when there are issues or on a quarterly / half-yearly basis is really going to keep us temporary blindfolded, remember during such blindness your business is vulnerable.
Remember the following items (but not limited to) are directly giving credible technical risk inputs to your assessment process:
1. Vulnerability & Penetration Testing (VA/PT)
2. Attack Surface Analysis (ASA)
3. Log Analysis (SIEM/SOAR)
4. Subject Matter Expert Analysis (SME)
5. Data Privacy Impact Analysis (DPIA)
6. Audit Input Analysis (Internal/Third Party/Agency)
7. Security Operations Centre (SOC) / Network Operations Centre (NOC) Inputs
8. Incident Management Inputs.
Gokulavan Jayaraman, Information Security Manager, Lumina Datamatics Ltd.