The purpose

Rutgers Risk, Policy and Compliance Ad Hoc Security Risk Assessment is an improvisational approach to risk management and seeks to analyze security and control gaps by applying industry standards and frameworks. The outcomes of ad hoc analysis are generally in the form of reports, data summaries, or a statistical models.

Ad hoc security risk assessments include risk assessments, security reviews, contract reviews, data use agreement reviews, cloud access reviews, and risk & security projects.

The process

The objective of ad hoc risk assessments is to understand the existing system and environment and identify risks through analysis of the information/data collected. By default, all relevant information should be considered and includes:

• Review the adequacy of existing security policies, standards, guidelines, and procedures.
• Analyze assets, threats, and vulnerabilities, including their impacts and likelihood.
• Map threats to assets and vulnerabilities to help identify their possible combinations. Each threat can be associated with a specific vulnerability or even multiple vulnerabilities. Unless a threat can exploit a vulnerability, it is not a risk to an asset.
• Develop practical technical recommendations to address the vulnerabilities identified and reduce the level of security risk.
• Produce and submit a risk assessment report.