Risk assessment

Paper Analysis Paper Analysis The paper that has been chosen for analysis is related to the field of risk assessment. The title of the paper is “ Development of a Risk Assessment Analysis Methodology for Nonprofit Organizations” and has been written by Steven F. Fox. It was published in the ISSA Journal in 2008.
The main idea of the paper is that it proposes an efficient risk assessment toolkit that will highlight the importance of the IT infrastructure for the non-profit organizations. Every organization possesses certain assets like data, policies and procedures etc that should be safeguarded so that it does not become the target of malicious usage. Large organizations tend to spend great number of resources on implementing security measures to keep their informational assets safe but the writer states that there is not much awareness about this aspect in the non-profit organizations that have very limited resources and IT budgets.
The author of the chosen paper, Fox (2008) understands the constraint of limited budgets in non-profit organizations therefore devised the methodology that would not cause them any setbacks in their financial system. The following aspects are considered for the development of the respective methodology; inexpensive or free software components that are compatible with Microsoft, no new infrastructure risk is brought about in the system, tools must be simple enough to be operable by volunteers after only few training sessions.
The methodology that has been proposed by the author involves a series of steps that should be followed to ensure that the non-profit organization understands the risks that might be present in their IT infrastructure. Fox (2008) proposed the following steps:
-Definition of the scope of risk assessment
-Interview of the top management.
-Conducting the risk assessment process
-Preliminary report
-Development of remediation plan
The series of steps for the risk assessment process is detailed and covers some of the basic considerations that should be involved in the conventional mode of risk assessment for example; the views of the top management regarding the important data that should be safeguarded and the authorities who should have access to the data. However, the implementation of the methodology requires the assessor to be equipped with the knowledge of UML which might pose to be a challenge for the volunteers in the non-profit organization. It requires considerable training to possess the skill of framing real life instances into UML framework.
Another aspect of the paper that could have been explained in a better manner involves COBIT and NIST 800-30 security standards. The methodology is claimed to be based on these security standards but the series of risk assessments steps have not been explained with their reference. There is no specific conclusion in this article that leaves room for improvement. The impact and future of this methodology have been discussed that makes the methodology more creditable.
Overall the paper constitutes information and findings that can be implemented in the real world since the author has had real life personal experience in the field of non-profit organizations, except for a few limitations that have been stated above. The methodology points out relevant aspects that can help non-profit organizations or even small organizations assess the risks that might be involved in their information system security.
References
Fox, S. F. (2008). Development of a Risk Assessment Analysis Methodology for Nonprofit Organizations, ISSA Journal, January 2008, pp: 22-25