Risk Assessment

766 Words4 Pages

The purpose of this publication is to provide guidance for conducting risk assessments of federal information systems and organizations. In addition to identifying the steps in the risk assessment process, it also provides guidance in identifying risk factors to watch and courses of action that should be taken. Risk assessments provide the senior leaders/executives with the information needed to determine appropriate courses of action in response to identified risks. The target audience includes individuals with oversight responsibilities for risk management, organizational missions/business functions, acquiring information technology products, services, or information systems, information system/security design, development, and implementation, …show more content…

This determines the likelihood of an event occurring and the degree of harm it may cause. Assessments are an on-going process.

- The third item is risk response. This is a course of action to take in the event of risk occurring and is based on the tolerance of the organization.

- The forth part is the risk monitoring to determine how effective the risk responses are.

RISK ASSESSMENT METHODOLOGY

- Risk assessment process

-- Risk models define the factors such as threat, vulnerability, likelihood, impact, etc. to be assessed. Definitions of each factor needs to be defined before assessing to clearly define the risk.

-- Assessment approach can be quantitative, qualitative, or semi-qualitative.

-- Quantitative is based on numbers. It supports cost-benefit analysis, but may need result interpretation.

-- Qualitative is based on nonnumeric values such as low, moderate, and high. Easier for communicating results to persons responsible for making decisions, but has much smaller result set.

-- Semi-qualitative uses scales or sets of bins that are easily translated into qualitative terms thus providing the benefits of both the quantitative and qualitative …show more content…

The purpose and scope of risk assessment activities are defined by the context of Tier 2 and the SDLC. The risk management perspective is more tactical here and the process typically moves faster.

RISK ASSESSMENT PROCESS

- Step 1 is preparing for the assessment. In this step, identification is made of the assessment purpose, assessment scope, assessment assumptions and constraints, assessment input sources (e.g. threat source, vulnerability, etc.), and risk model along with the assessment and analysis approaches.

- Step 2 is conducting the assessment. In this step, identification is made of the threat sources, possible threat events produced from the sources, and exploitable vulnerabilities from those sources and events. Step 2 also determines the likelihood of the sources initiating specific events and the likelihood of success, the negative impacts that could result from exploiting vulnerabilities by sources of threat, and security risks that result from the likelihood of vulnerability exploitation and the impact of