In assessing risks for an IT system, the first step is to define the scope of the effort. In this step, the boundaries of the IT system are identified, along with the resources and the information that constitute the system. Characterizing an IT system establishes the scope of the risk assessment effort, delineates the operational authorization (or accreditation) boundaries, and provides information (e.g., hardware, software, system connectivity and responsible division or support personnel) essential to defining the risk. The methodology described can be applied to assessments of single or multiple, interrelated systems.
The potential of the threat source to exercise the specific vulnerability. A vulnerability is the weakness in the system that can be accidentally triggered or intentionally exploited. A threat source does not present a risk when there is no vulnerability that can exercised.
Once the plausible threats are identified, a vulnerability assessment will be performed. The vulnerability assessment considers the potential impact of loss after a successful attack as well as the vulnerability of the facility / location to an attack.
Analyze the controls that has been implemented or planned for implementation, by the organization to minimize or eliminate the likelihood of threats utilizing the system vulnerability.
To derive an overall likelihood rating that indicates the probability that a potential vulnerability maybe exercised within the construct of the associated threat environment, the following governing factors must be considered:
- Threat source motivation and capability
- Nature of the vulnerability
- Existence and effectiveness of the current controls
The next major step in measuring level of risk is by determining the adverse impact resulting from a successful threat exercise on a vulnerability. Before beginning the impact analysis, it is necessary to obtain the following necessary information:
- System mission (e.g., the processes performed by the IT system)
- System and data criticality (e.g., the system’s value or importance to an organization)
- System and data sensitivity
The purpose of this step is to assess the level of risk to the IT system. The determination of risk for a threat / vulnerability pair can be expressed as a function of:
- The likelihood of a given threat-source’s attempting to execute a given vulnerability
- The magnitude of the impact when a threat-source successfully exploits the vulnerability
- The adequacy of planned or existing security controls for reducing or eliminating risk
To measure risk, a risk scale and a risk-level matrix must be developed.
During this step, controls that could mitigate or eliminate the identified risks, as appropriate to organizations operations, are provided. The goal is to reduce the level of risk to the IT system and its data to an acceptable level. The following factors should be considered in recommending controls and alternative solutions to minimize or eliminate identified risks:
- Effectiveness of recommended options
- Legislation and regulation
- Organizational policy
- Operational impact
- Safety and reliability
The control recommendations are the results of the risk assessment process and provide input to risk mitigation process, during which the recommended procedural and technical security controls are evaluated, prioritized and implemented.
Once the risk assessment has been completed (threat-sources and vulnerabilities identified, risks assessed, and recommended controls provided), the results should be documented in an official report or briefing.
A risk assessment report is a management report that will help senior management, the mission owners, make decisions on policy, procedures, budget, and system operational and management changes. We address the threat/vulnerability observations in the risk assessment report.