Risk Assessment

business, risk, luck

Risk Assessment

Risk assessment comprises the following steps:

  1. System characterization
  2. Threat identification
  3. Vulnerability identification
  4. Control analysis
  5. Likelihood determination
  6. Impact analysis
  7. Risk determination
  8. Control recommendation
  9. Results documentation

System Characterization

This step characterizes and defines the scope of the risk assessment process. During this step, the following information about the system must be gathered:

Risk Assessment
  1. Software
  2. Hardware
  3. Data
  4. System interfaces
  5. IT system support personnel
  6. IT system users
  7. System mission
  8. Critically of the system and data
  9. System and data sensitivity
  10. Functional system requirements
  11. System security policies
  12. System security architecture
  13. Network topology
  14. Information storage protection
  15. System information flow
  16. Technical security controls
  17. Physical security environment
  18. Environment security

On-site interviews, review of documents, and automated scanning tools are used to obtain the required information. The output from this step is as follows:

  1. Characterization of the assessed IT system
  2. Comprehension of the IT system environment
  3. Delineation of the system boundary

Threat Identification

This step identifies potential threat-sources and complies a statement of the threat sources that relate to the IT systems under evaluation. Sources of threat information include the Federal Computer Incident Response Centre (FedCIRC), intelligence agencies, mass media, and Web-based resources.

The output from this step is a statement that provides a list of threat-sources that could exploit the system’s vulnerabilities.

Vulnerability Identification

This step results in a list of system vulnerabilities that might be exploited by potential threat sources. Vulnerabilities can be identified though vulnerability analysis, including information from previous information assessments, audit reports; vendor data; commercial computer incident response teams; and system software security analysis.

Testing of the IT system is also an important tool in identifying vulnerabilities.

Testing can include the following:

  • Security test and evaluation procedures
  • Penetration-testing techniques
  • Automated vulnerability scanning tool

Control Analysis

This step analyses the controls that are in place or in the planning stage to minimize or eliminate the probability that a threat will exploit vulnerability in the system.

Control can be implemented through technical means such as computer hardware and software, encryption, intrusion detection mechanisms, and authentication subsystems.

Impact Analysis

Three important factors should be considered in calculating the negative impact of a threat realized;

  • The mission of the system, including the processes implemented by the system
  • The criticality of the system, determined by its value and the value of the data to the organization
  • The sensitivity of the system and its data.

The information necessary to conduct an impact analysis can be obtained from existing organizational documentation, including a business impact analysis (BIA), or mission impact analysis report, as it is sometimes called.

Risk determination

This step determines the level of risk to the IT system. The risk is assigned for a threat/ vulnerability pair and is a function of the following characteristics;

The likelihood that a particular threat-source will exploit an existing IT system vulnerability.

The magnitude of the resulting impact of a threat-source successfully exploiting the IT system vulnerability.

The adequacy of the existing or planned information system security controls for eliminating or reducing the risk.

General Guidelines for each level of risk

High-risk level

At this level, there is a high level of concern and a strong need for a plan for corrective measures to be developed as soon as possible.

Medium-risk level

For medium risk, there is concern and a need for a plan for corrective measures to be developed within a reasonable period of time.

Low-risk level

For low risk, the system’s DAA must decide whether to accept the risk or implement corrective actions.

Control Recommendation

This step specifies the controls to be applied for risk mitigation. To specify appropriate controls, the following issues must be considered:

  • Organizational policy
  • Cost-Benefit
  • Operational impact
  • Feasibility
  • Applicable Legislative Regulation
  • The overall effectiveness of the recommended controls
  • Safety, reliability

 Result Documentation

The final step in the risk assessment process is the development of a risk assessment report. This report is directed at management and should contain information to support appropriate decisions on budget, policies, procedures, management and operational issues.

The output of this step is a risk assessment report that describes threats and vulnerabilities, risk measurements, and recommendations for the implementation of controls.

You May Also Like-
Threats to Information System
Software/Security Threats
What do you mean by Information Security?
What are imperfection or defects of Solids
What Do you know about Solid State?
What do you know about Solid Waste??
Processing of solid waste and On-site Handling by engineering System

Right Understanding

Right Understanding We all know that the Human Desire is to be in continuous happiness which is the need of I (self). But do you know, from where Continuous happiness will come? No, right! So continuous happiness is to be in Right Understanding, Right Feeling, and Right Thought that is Activity of I (Self). Do…

Continue Reading Right Understanding

Where We Are

Where We Are (Self-Evolution) We exist as human being. We want to live a fulfilling life. We have some desires and we have some programs for the fulfilment of it. We need to understand our basic aspiration and program for its fulfillment correctly and comprehensively. Only then, we can ensure fulfillment. We should explore ourselves…

Continue Reading Where We Are

Highway Construction

Highway Construction Embankment Construction Materials and General Requirements The materials used in embankments, subgrades, earthen, shoulders, and miscellaneous backfills shall be soil, moorum, gravel, a mixture of these. Clay having liquid limit exceeding 70 and plasticity index exceeding 45; shall be considered unsuitable for embankment. Sub-grade and top 500mm portion of the embankment just below…

Continue Reading Highway Construction

Special Concretes

Special Concretes Concrete is most vital material in modern construction. In addition to normal concrete, other varieties in use are, high strength and high-performance concrete, self-compacting, lightweight, high density, fiber reinforced, polymer, colored concrete, etc. The making of concrete is an art as well as a science. Special types of concrete are those with out-of-the-ordinary…

Continue Reading Special Concretes

Marketing Practices

Marketing Practices Success in the world of business, no matter how you earn it, you have to rule on the marketplace. Although luck plays a role in the outcome of the market strategies. In the business decisions, there should be the understanding of market otherwise the failure will take place by the marked decisions. While…

Continue Reading Marketing Practices

Risk Analysis

Risk Analysis The risk that remains after the implementation of controls is called the residual risk. All systems will have residual risk because it is virtually impossible to completely eliminate risk to an IT system. In other words, we can say that there are two main parts of the security risk analysis known as Quantitative…

Continue Reading Risk Analysis

Leave a Reply

Your email address will not be published. Required fields are marked *