Scribd Logo
Upload

Welcome to Scribd!

  • Template of Risk Assesment

    Uploaded by

    hasanjafri
    5 views3 pages
    Risk Assessment for Information Systems

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Risk Assessment for Information Systems

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views3 pages

    Template of Risk Assesment

    Uploaded by

    hasanjafri
    Risk Assessment for Information Systems

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Information Technology Service Division

    Risk Assessment for Information Systems Template


    STEP 1: SYSTEM !ARATERI"ATI#$
    Output from Step 1 - Characterization of the IT system being assessed, a good picture of
    the IT system environment, and delineation of the system boundary
    STEP %: T!REAT IDE$TI&IATI#$
    Output from Step 2 - threat statement containing a list of threat-sources that could
    e!ploit system vulnerabilities
    2.1 Threat Source Identification:
    2.2 Motivation and Threat Actions:

    STEP ': ()*$ERA+I*ITY IDE$TI&IATI#$
    Output from Step " - list of the system vulnerabilities that could be e!ercised by the
    potential threat-sources
    Ta,le 1- Potential (.lnera,ilities Ta,le
    (.lnera,ility Threat-So.rce Threat Action
    3.1 Vulnerability Sources:
    3.2 System Security Testing:
    3.3 Security e!uirements "hec#list:
    STEP /: #$TR#* A$A*YSIS
    Output from Step # - $ist of current or planned controls used for the IT system to mitigate
    the li%elihood of a vulnerability being e!ercised and reduce the impact of such an adverse
    event
    $.1 "ontrol Methods:
    $.2 "ontrol "ategories:
    $.3 "ontrol Analysis Techni!ue:
    Page 1 6/8/2014
    STEP 0: *I1E*I!##D DETERMI$ATI#$
    Output from Step & - $i%elihood rating '(igh, )edium, $o*+
    Ta,le % - *ikelihoo2 Definitions
    *ikelihoo2 *evel *ikelihoo2 Definition
    %igh The threat&source is highly motivated and sufficiently ca'able( and
    controls to 'revent the vulnerability from being e)ercised are
    ineffective.
    Medium The threat&source is motivated and ca'able( but controls are in
    'lace that may im'ede successful e)ercise of the vulnerability.
    *o+ The threat&source lac#s motivation or ca'ability( or controls are in
    'lace to 'revent( or at least significantly im'ede( the vulnerability
    from being e)ercised.
    STEP 3: IMPAT A$A*YSIS
    Output from Step , - )agnitude of impact '(igh, )edium, or $o*+
    Ta,le ' - Magnit.2e of Impact Definitions
    Magnit.2e of Impact Impact Definition
    %igh ,)ercise of the vulnerability -1. may result in
    the highly costly loss of ma/or tangible assets
    or resources0 -2. may significantly violate(
    harm( or im'ede an organi1ation2s mission(
    re'utation( or interest0 or -3. may result in
    human death or serious in/ury.
    Medium ,)ercise of the vulnerability -1. may result in
    the costly loss of tangible assets or resources0
    -2. may violate( harm( or im'ede an
    organi1ation2s mission( re'utation( or interest0
    or -3. may result in human in/ury.
    *o+ ,)ercise of the vulnerability -1. may result in
    the loss of some tangible assets or resources
    or -2. may noticeably affect an organi1ation2s
    mission( re'utation( or interest.
    STEP 4: RIS1 DETERMI$ATI#$
    Output from Step - - .is% level '(igh, )edium, $o*+
    3.1 is# *evel Matri):
    The 'robability assigned for each threat li#elihood level is 1.4 for %igh( 4.5 for Medium( 4.1 for
    *o+.
    The value assigned for each im'act level is 144 for %igh( 54 for Medium( and 14 for *o+.
    Ta,le / - Risk-*evel Matri5
    Page 2 6/8/2014
    Threat
    *i#elihood
    Im'act
    *o+
    -14.
    Medium
    -54.
    %igh
    -144.
    %igh -1.4. *o+
    14 6 1.4 7 14
    Medium
    54 6 1.4 7 54
    %igh
    144 6 1.4 7 144
    Medium -4.5. *o+
    14 6 4.5 7 5
    Medium
    54 6 4.5 7 25
    Medium
    144 6 4.5 7 54
    *o+ -4.1. *o+
    14 6 4.1 7 1
    *o+
    54 6 4.1 7 5
    *o+
    144 6 4.1 7 14
    is# Scale: %igh -854 to 144.0 Medium - 814 to 54.0 *o+ -1 to 14.999
    ***If the level indicated on certain items is so low as to be deemed to be "negligible" or non significant (value is 1 on risk
    scale of 1 to 100), one may wish to hold these aside in a separate bucket in lieu of forwarding for management action
    !his will make sure that they are not overlooked when conducting the ne"t periodic risk assessment It also establishes a
    complete record of all risks identified in the analysis !hese risks may move to a new risk level on a reassessment due to
    a change in threat likelihood and#or impact and that is why it is critical that their identification not be lost in the e"ercise***
    7.2 Description of Risk Level:
    Ta,le 0 - Risk Scale an2 $ecessary Actions
    Risk *evel Risk Description an2 $ecessary Actions
    %igh If an observation or finding is evaluated as a high ris#( there is a
    strong need for corrective measures. An e)isting system may
    continue to o'erate( but a corrective action 'lan must be 'ut in
    'lace as soon as 'ossible.
    Medium If an observation is rated as medium ris#( corrective actions are
    needed and a 'lan must be develo'ed to incor'orate these
    actions +ithin a reasonable 'eriod of time.
    *o+ If an observation is described as lo+ ris#( the system2s :AA must
    determine +hether corrective actions are still re!uired or decide
    to acce't the ris#.
    STEP 6: #$TR#* RE#MME$DATI#$S
    Output from Step / - .ecommendation of control's+ and alternative solutions to mitigate
    ris%
    Page 3 6/8/2014

    You might also like