Risk assessment comprises the following steps:
- System characterization
- Threat identification
- Vulnerability identification
- Control analysis
- Likelihood determination
- Impact analysis
- Risk determination
- Control recommendation
- Results documentation
This step characterizes and defines the scope of the risk assessment process. During this step, the following information about the system must be gathered:
- System interfaces
- IT system support personnel
- IT system users
- System mission
- Critically of the system and data
- System and data sensitivity
- Functional system requirements
- System security policies
- System security architecture
- Network topology
- Information storage protection
- System information flow
- Technical security controls
- Physical security environment
- Environment security
On-site interviews, review of documents, and automated scanning tools are used to obtain the required information. The output from this step is as follows:
- Characterization of the assessed IT system
- Comprehension of the IT system environment
- Delineation of the system boundary
This step identifies potential threat-sources and complies a statement of the threat sources that relate to the IT systems under evaluation. Sources of threat information include the Federal Computer Incident Response Centre (FedCIRC), intelligence agencies, mass media, and Web-based resources.
The output from this step is a statement that provides a list of threat-sources that could exploit the system’s vulnerabilities.
This step results in a list of system vulnerabilities that might be exploited by potential threat sources. Vulnerabilities can be identified though vulnerability analysis, including information from previous information assessments, audit reports; vendor data; commercial computer incident response teams; and system software security analysis.
Testing of the IT system is also an important tool in identifying vulnerabilities.
Testing can include the following:
- Security test and evaluation procedures
- Penetration-testing techniques
- Automated vulnerability scanning tool
This step analyses the controls that are in place or in the planning stage to minimize or eliminate the probability that a threat will exploit vulnerability in the system.
Control can be implemented through technical means such as computer hardware and software, encryption, intrusion detection mechanisms, and authentication subsystems.
Three important factors should be considered in calculating the negative impact of a threat realized;
- The mission of the system, including the processes implemented by the system
- The criticality of the system, determined by its value and the value of the data to the organization
- The sensitivity of the system and its data.
The information necessary to conduct an impact analysis can be obtained from existing organizational documentation, including a business impact analysis (BIA), or mission impact analysis report, as it is sometimes called.
This step determines the level of risk to the IT system. The risk is assigned for a threat/ vulnerability pair and is a function of the following characteristics;
The likelihood that a particular threat-source will exploit an existing IT system vulnerability.
The magnitude of the resulting impact of a threat-source successfully exploiting the IT system vulnerability.
The adequacy of the existing or planned information system security controls for eliminating or reducing the risk.
General Guidelines for each level of risk
At this level, there is a high level of concern and a strong need for a plan for corrective measures to be developed as soon as possible.
For medium risk, there is concern and a need for a plan for corrective measures to be developed within a reasonable period of time.
For low risk, the system’s DAA must decide whether to accept the risk or implement corrective actions.
This step specifies the controls to be applied for risk mitigation. To specify appropriate controls, the following issues must be considered:
- Organizational policy
- Operational impact
- Applicable Legislative Regulation
- The overall effectiveness of the recommended controls
- Safety, reliability
The final step in the risk assessment process is the development of a risk assessment report. This report is directed at management and should contain information to support appropriate decisions on budget, policies, procedures, management and operational issues.
The output of this step is a risk assessment report that describes threats and vulnerabilities, risk measurements, and recommendations for the implementation of controls.
You May Also Like-
Threats to Information System
What do you mean by Information Security?
What are imperfection or defects of Solids
What Do you know about Solid State?
What do you know about Solid Waste??
Processing of solid waste and On-site Handling by engineering System
Right Understanding We all know that the Human Desire is to be in continuous happiness which is the need of I (self). But do you know, from where Continuous happiness will come? No, right! So continuous happiness is to be in Right Understanding, Right Feeling, and Right Thought that is Activity of I (Self). Do…
Where We Are (Self-Evolution) We exist as human being. We want to live a fulfilling life. We have some desires and we have some programs for the fulfilment of it. We need to understand our basic aspiration and program for its fulfillment correctly and comprehensively. Only then, we can ensure fulfillment. We should explore ourselves…
Highway Construction Embankment Construction Materials and General Requirements The materials used in embankments, subgrades, earthen, shoulders, and miscellaneous backfills shall be soil, moorum, gravel, a mixture of these. Clay having liquid limit exceeding 70 and plasticity index exceeding 45; shall be considered unsuitable for embankment. Sub-grade and top 500mm portion of the embankment just below…
Special Concretes Concrete is most vital material in modern construction. In addition to normal concrete, other varieties in use are, high strength and high-performance concrete, self-compacting, lightweight, high density, fiber reinforced, polymer, colored concrete, etc. The making of concrete is an art as well as a science. Special types of concrete are those with out-of-the-ordinary…
Marketing Practices Success in the world of business, no matter how you earn it, you have to rule on the marketplace. Although luck plays a role in the outcome of the market strategies. In the business decisions, there should be the understanding of market otherwise the failure will take place by the marked decisions. While…
Risk Analysis The risk that remains after the implementation of controls is called the residual risk. All systems will have residual risk because it is virtually impossible to completely eliminate risk to an IT system. In other words, we can say that there are two main parts of the security risk analysis known as Quantitative…