INFORMATION SECURITY

RISK ASSESSMENT

INTRODUCTION
Information security risk assessment is an on-going
process of discovering, correcting and preventing
security problems.
The risk assessment is an integral part of a risk
management process designed to provide appropriate
levels of security for information systems.
Information security risk assessments are part of sound
security practices and are required by the Common
wealth Enterprise Information Security Policy.
The risk assessment will help each agency determine the
acceptable level of risk and the resulting security
requirements for each system

RISK ASSESSMENT REPORT

A Risk Assessment (RA) Report applies to a selected
information system. An information system is a group of
computing and network components that share a business
function, under common ownership and management
The Report will include

A documented system inventory, listing all system components and

establishing the system boundary for the purposes of the Report;
Documentation of the systems policies and procedures, and details of its
operation;
List of threat / vulnerability pairs, with severity of impact and likelihood
of occurrence;
List of safeguards for controlling these threats and vulnerabilities;
List of recommended changes, with approximate levels of effort for each;
For each recommended change, the resulting reduction in risk;

RISK ASSESSMENT PROCESS

It

is presented in three phases:

System Documentation Phase

Risk Determination Phase

Safeguard Determination Phase

System

Documentation Phase

Document system identification;

Document system purpose and description;

Document the system security level.

The team must make a decision about where to draw the

boundaries of the system to be assessed.

Risk Determination Phase

Identify threats;

Identify vulnerabilities;

Describe risks;

Identify existing controls;

Determine likelihood of occurrence;

Determine severity of impact;

Determine risk level.

The team must decide whether to include only

controls that are currently implemented, or to include
controls that are budgeted and scheduled for
implementation.

Safeguard Determination Phase

Recommend controls and safeguards;

Determine residual (remaining) likelihood of occurrence if controls and
safeguards are implemented;
Determine residual severity of impact if candidate controls and safeguards
are implemented;

Determine residual risk levels.

Security Risk Analysis &

Management

DEFINITIONS

Risk Analysis involves the identification and

assessment of the levels of risk, calculated from
the
Values of assets
Threats to the assets
Their vulnerabilities and likelihood of exploitation

Risk Analysis and Management Framework

Threat: Harm that can happen to an asset

Attacker: The agent causing an attack (not
necessarily human)
Vulnerability: a weakness in the system that
makes an attack more likely to succeed
Risk: a quantified measure of the likelihood of a
threat being realized

GOALS OF RISK ANALYSIS

All assets have been identified
All threats have been identified
Their impact on assets has been valued
All vulnerabilities have been identified and
assessed