Risk Assessment Question
Going back through the risk assessment, I had a question! When including the risks, are we supposed to come at it with professional skepticism? For example, we have a system administrator who is a great employee. We would never expect them to do anything malicious. BUT, when looking at the possible threat of "falsification of records", should I still list it as a threat? Even if it is very unlikely, it is something that someone in their position is capable of doing.
Assign topic to the user
You should always approach risk assessment with professional skepticism.
For the impact, you need to take the worst-case scenario, i.e., what is the worst impact that can happen if the risk materializes. For likelihood, you have to assess how strong are the current safeguards in place, and how reliable this person is.
These articles will provide you with further explanation:
Comment as guest or Sign in
Aug 25, 2022