Risk assessment comprises the following steps:
- System characterization
- Threat identification
- Vulnerability identification
- Control analysis
- Likelihood determination
- Impact analysis
- Risk determination
- Control recommendation
- Results documentation
This step characterizes and defines the scope of the risk assessment process. During this step, the following information about the system must be gathered:
- System interfaces
- IT system support personnel
- IT system users
- System mission
- Critically of the system and data
- System and data sensitivity
- Functional system requirements
- System security policies
- System security architecture
- Network topology
- Information storage protection
- System information flow
- Technical security controls
- Physical security environment
- Environment security
On-site interviews, review of documents, and automated scanning tools are used to obtain the required information. The output from this step is as follows:
- Characterization of the assessed IT system
- Comprehension of the IT system environment
- Delineation of the system boundary
This step identifies potential threat-sources and complies a statement of the threat sources that relate to the IT systems under evaluation. Sources of threat information include the Federal Computer Incident Response Centre (FedCIRC), intelligence agencies, mass media, and Web-based resources.
The output from this step is a statement that provides a list of threat-sources that could exploit the system’s vulnerabilities.
This step results in a list of system vulnerabilities that might be exploited by potential threat sources. Vulnerabilities can be identified though vulnerability analysis, including information from previous information assessments, audit reports; vendor data; commercial computer incident response teams; and system software security analysis.
Testing of the IT system is also an important tool in identifying vulnerabilities.
Testing can include the following:
- Security test and evaluation procedures
- Penetration-testing techniques
- Automated vulnerability scanning tool
This step analyses the controls that are in place or in the planning stage to minimize or eliminate the probability that a threat will exploit vulnerability in the system.
Control can be implemented through technical means such as computer hardware and software, encryption, intrusion detection mechanisms, and authentication subsystems.
Three important factors should be considered in calculating the negative impact of a threat realized;
- The mission of the system, including the processes implemented by the system
- The criticality of the system, determined by its value and the value of the data to the organization
- The sensitivity of the system and its data.
The information necessary to conduct an impact analysis can be obtained from existing organizational documentation, including a business impact analysis (BIA), or mission impact analysis report, as it is sometimes called.
This step determines the level of risk to the IT system. The risk is assigned for a threat/ vulnerability pair and is a function of the following characteristics;
The likelihood that a particular threat-source will exploit an existing IT system vulnerability.
The magnitude of the resulting impact of a threat-source successfully exploiting the IT system vulnerability.
The adequacy of the existing or planned information system security controls for eliminating or reducing the risk.
General Guidelines for each level of risk
At this level, there is a high level of concern and a strong need for a plan for corrective measures to be developed as soon as possible.
For medium risk, there is concern and a need for a plan for corrective measures to be developed within a reasonable period of time.
For low risk, the system’s DAA must decide whether to accept the risk or implement corrective actions.
This step specifies the controls to be applied for risk mitigation. To specify appropriate controls, the following issues must be considered:
- Organizational policy
- Operational impact
- Applicable Legislative Regulation
- The overall effectiveness of the recommended controls
- Safety, reliability
The final step in the risk assessment process is the development of a risk assessment report. This report is directed at management and should contain information to support appropriate decisions on budget, policies, procedures, management and operational issues.
The output of this step is a risk assessment report that describes threats and vulnerabilities, risk measurements, and recommendations for the implementation of controls.
You May Also Like-
Threats to Information System
What do you mean by Information Security?
What are imperfection or defects of Solids
What Do you know about Solid State?
What do you know about Solid Waste??
Processing of solid waste and On-site Handling by engineering System
The term ‘soil’ in soil engineering is defined as an unconsolidated material, composed of solid particles, produced by the disintegration of rocks. The void space between the particles may contain air, water or both. The soil particles may contain organic matter.
What are Bricks? Bricks are one of the oldest building materials and it’s extensively used at present as a loading material in construction methods because of its durability, strength, reliability, low cost, easy availability, etc. Bricks are manufactured by molding burnt clay or a mixture of sand and lime or of Portland cement concrete, in…
Water Proofing Materials Dampness in a building is the main cause of the deterioration of the building as well as for the ill-health of the occupants. The damp brickwork in the buildings is prone to fresh attack. Also, the soluble salts in bricks are liable to attack the cement mortar when the brickwork remains wet…
Sound Insulation A well-designed building should incorporate sound insulation to restrain the noise level. High noise conditions result in uncomfortable living conditions, mental strains, fatigue, and may even lead to a nervous breakdown or temporary deafness. Adequate insulation can be achieved by using sound-absorbing or sound repellent materials. Sound Insulating Materials Sound Insulating Materials fall…
Heat Insulating Materials The purpose of thermal insulation is to restrict the heat transfer from warmer to cooler areas. Transfer of heat takes place by three processes- the convection, the radiation and, the conduction. Convection In convection, heat is transferred from one place to another by the movement and mixing of liquids or gases. Radiation…