Scribd
Upload
121 views3 pages

Information Technology Service Division Risk Assessment For Information Systems Template

This document outlines an 8-step process for conducting an information technology risk assessment. The steps include: 1) characterizing the system, 2) identifying threats, 3) identifying vulnerabilities, 4) analyzing controls, 5) determining likelihood, 6) analyzing impacts, 7) determining risk levels, and 8) recommending controls. Risk is determined by combining likelihood and impact ratings on a matrix. Risk levels of high, medium, and low require corresponding corrective actions to mitigate the risk.

Uploaded by

Victoria Love
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
121 views3 pages

Information Technology Service Division Risk Assessment For Information Systems Template

This document outlines an 8-step process for conducting an information technology risk assessment. The steps include: 1) characterizing the system, 2) identifying threats, 3) identifying vulnerabilities, 4) analyzing controls, 5) determining likelihood, 6) analyzing impacts, 7) determining risk levels, and 8) recommending controls. Risk is determined by combining likelihood and impact ratings on a matrix. Risk levels of high, medium, and low require corresponding corrective actions to mitigate the risk.

Uploaded by

Victoria Love
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 3

Information Technology Service Division Risk Assessment for Information Systems Template

STEP 1: SYSTEM CHARACTERIZATION


Output from Step 1 - Characterization of the IT system being assessed, a good picture of the IT system environment, and delineation of the system boundary

STEP 2: THREAT IDENTIFICATION


Output from Step 2 - A threat statement containing a list of threat-sources that could exploit system vulnerabilities 2.1 Threat Source Identification: 2.2 Motivation and Threat Actions:

STEP 3: VULNERABILITY IDENTIFICATION


Output from Step 3 - A list of the system vulnerabilities that could be exercised by the potential threat-sources

Table 1- Potential Vulnerabilities Table


Vulnerability Threat-Source Threat Action

3.1 Vulnerability Sources: 3.2 System Security Testing: 3.3 Security Requirements Checklist:

STEP 4: CONTROL ANALYSIS


Output from Step 4 - List of current or planned controls used for the IT system to mitigate the likelihood of a vulnerability being exercised and reduce the impact of such an adverse event 4.1 Control Methods: 4.2 Control Categories: 4.3 Control Analysis Technique:

Page 1

3/21/2013

STEP 5: LIKELIHOOD DETERMINATION


Output from Step 5 - Likelihood rating (High, Medium, Low)

Table 2 - Likelihood Definitions


Likelihood Level High Medium Low Likelihood Definition The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective. The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability. The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.

STEP 6: IMPACT ANALYSIS


Output from Step 6 - Magnitude of impact (High, Medium, or Low)

Table 3 - Magnitude of Impact Definitions


Magnitude of Impact High Impact Definition Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organizations mission, reputation, or interest; or (3) may result in human death or serious injury. Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organizations mission, reputation, or interest; or (3) may result in human injury. Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organizations mission, reputation, or interest.

Medium

Low

STEP 7: RISK DETERMINATION


Output from Step 7 - Risk level (High, Medium, Low) 7.1 Risk Level Matrix: The probability assigned for each threat likelihood level is 1.0 for High, 0.5 for Medium, 0.1 for Low. The value assigned for each impact level is 100 for High, 50 for Medium, and 10 for Low.

Table 4 - Risk-Level Matrix

Page 2

3/21/2013

Threat Likelihood High (1.0) Medium (0.5) Low (0.1)

Low (10) Low 10 X 1.0 = 10 Low 10 X 0.5 = 5 Low 10 X 0.1 = 1

Impact Medium (50) Medium 50 X 1.0 = 50 Medium 50 X 0.5 = 25 Low 50 X 0.1 = 5

High (100) High 100 X 1.0 = 100 Medium 100 X 0.5 = 50 Low 100 X 0.1 = 10

Risk Scale: High (>50 to 100); Medium ( >10 to 50); Low (1 to 10)*** ***If the level indicated on certain items is so low as to be deemed to be "negligible" or non significant (value is 1 on risk scale of 1 to 100), one may wish to hold these aside in a separate bucket in lieu of forwarding for management action. This will make sure that they are not overlooked when conducting the next periodic risk assessment. It also establishes a complete record of all risks identified in the analysis. These risks may move to a new risk level on a reassessment due to a change in threat likelihood and/or impact and that is why it is critical that their identification not be lost in the exercise.***

7.2 Description of Risk Level:

Table 5 - Risk Scale and Necessary Actions


Risk Level High Risk Description and Necessary Actions If an observation or finding is evaluated as a high risk, there is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible. If an observation is rated as medium risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. If an observation is described as low risk, the systems DAA must determine whether corrective actions are still required or decide to accept the risk.

Medium Low

STEP 8: CONTROL RECOMMENDATIONS


Output from Step 8 - Recommendation of control(s) and alternative solutions to mitigate risk

Page 3

3/21/2013

You might also like