Risk Assessment

Risk Assessment

Risk assessment comprises the following steps:

  1. System characterization
  2. Threat identification
  3. Vulnerability identification
  4. Control analysis
  5. Likelihood determination
  6. Impact analysis
  7. Risk determination
  8. Control recommendation
  9. Results documentation

System Characterization

This step characterizes and defines the scope of the risk assessment process. During this step, the following information about the system must be gathered:

Risk Assessment
  1. Software
  2. Hardware
  3. Data
  4. System interfaces
  5. IT system support personnel
  6. IT system users
  7. System mission
  8. Critically of the system and data
  9. System and data sensitivity
  10. Functional system requirements
  11. System security policies
  12. System security architecture
  13. Network topology
  14. Information storage protection
  15. System information flow
  16. Technical security controls
  17. Physical security environment
  18. Environment security

On-site interviews, review of documents, and automated scanning tools are used to obtain the required information. The output from this step is as follows:

  1. Characterization of the assessed IT system
  2. Comprehension of the IT system environment
  3. Delineation of the system boundary

Threat Identification

This step identifies potential threat-sources and complies a statement of the threat sources that relate to the IT systems under evaluation. Sources of threat information include the Federal Computer Incident Response Centre (FedCIRC), intelligence agencies, mass media, and Web-based resources.

The output from this step is a statement that provides a list of threat-sources that could exploit the system’s vulnerabilities.

Vulnerability Identification

This step results in a list of system vulnerabilities that might be exploited by potential threat sources. Vulnerabilities can be identified though vulnerability analysis, including information from previous information assessments, audit reports; vendor data; commercial computer incident response teams; and system software security analysis.

Testing of the IT system is also an important tool in identifying vulnerabilities.

Testing can include the following:

  • Security test and evaluation procedures
  • Penetration-testing techniques
  • Automated vulnerability scanning tool

Control Analysis

This step analyses the controls that are in place or in the planning stage to minimize or eliminate the probability that a threat will exploit vulnerability in the system.

Control can be implemented through technical means such as computer hardware and software, encryption, intrusion detection mechanisms, and authentication subsystems.

Impact Analysis

Three important factors should be considered in calculating the negative impact of a threat realized;

  • The mission of the system, including the processes implemented by the system
  • The criticality of the system, determined by its value and the value of the data to the organization
  • The sensitivity of the system and its data.

The information necessary to conduct an impact analysis can be obtained from existing organizational documentation, including a business impact analysis (BIA), or mission impact analysis report, as it is sometimes called.

Risk determination

This step determines the level of risk to the IT system. The risk is assigned for a threat/ vulnerability pair and is a function of the following characteristics;

The likelihood that a particular threat-source will exploit an existing IT system vulnerability.

The magnitude of the resulting impact of a threat-source successfully exploiting the IT system vulnerability.

The adequacy of the existing or planned information system security controls for eliminating or reducing the risk.

General Guidelines for each level of risk

High-risk level

At this level, there is a high level of concern and a strong need for a plan for corrective measures to be developed as soon as possible.

Medium-risk level

For medium risk, there is concern and a need for a plan for corrective measures to be developed within a reasonable period of time.

Low-risk level

For low risk, the system’s DAA must decide whether to accept the risk or implement corrective actions.

Control Recommendation

This step specifies the controls to be applied for risk mitigation. To specify appropriate controls, the following issues must be considered:

  • Organizational policy
  • Cost-Benefit
  • Operational impact
  • Feasibility
  • Applicable Legislative Regulation
  • The overall effectiveness of the recommended controls
  • Safety, reliability

 Result Documentation

The final step in the risk assessment process is the development of a risk assessment report. This report is directed at management and should contain information to support appropriate decisions on budget, policies, procedures, management and operational issues.

The output of this step is a risk assessment report that describes threats and vulnerabilities, risk measurements, and recommendations for the implementation of controls.

You May Also Like-
Threats to Information System
Software/Security Threats
What do you mean by Information Security?
What are imperfection or defects of Solids
What Do you know about Solid State?
What do you know about Solid Waste??
Processing of solid waste and On-site Handling by engineering System

Bricks: Uses, Size, Weight, Frog, Types, and Much More

What are Bricks? Bricks are one of the oldest building materials and it’s extensively used at present as a loading material in construction methods because of its durability, strength, reliability, low cost, easy availability, etc. Bricks are manufactured by molding burnt clay or a mixture of sand and lime or of Portland cement concrete, in…

Continue Reading Bricks: Uses, Size, Weight, Frog, Types, and Much More

Sound Insulation And Sound Insulating Materials

Sound Insulation A well-designed building should incorporate sound insulation to restrain the noise level. High noise conditions result in uncomfortable living conditions, mental strains, fatigue, and may even lead to a nervous breakdown or temporary deafness. Adequate insulation can be achieved by using sound-absorbing or sound repellent materials. Sound Insulating Materials Sound Insulating Materials fall…

Continue Reading Sound Insulation And Sound Insulating Materials

Heat Insulating Materials: Convection, Radiation, and Conduction

Heat Insulating Materials The purpose of thermal insulation is to restrict the heat transfer from warmer to cooler areas. Transfer of heat takes place by three processes- the convection, the radiation and, the conduction. Convection In convection, heat is transferred from one place to another by the movement and mixing of liquids or gases. Radiation…

Continue Reading Heat Insulating Materials: Convection, Radiation, and Conduction

Leave a Reply

Your email address will not be published. Required fields are marked *