STEP 1: SYSTEM !ARATERI"ATI#$ Output from Step 1 - Characterization of the IT system being assessed, a good picture of the IT system environment, and delineation of the system boundary STEP %: T!REAT IDE$TI&IATI#$ Output from Step 2 - threat statement containing a list of threat-sources that could e!ploit system vulnerabilities 2.1 Threat Source Identification: 2.2 Motivation and Threat Actions:
STEP ': ()*$ERA+I*ITY IDE$TI&IATI#$ Output from Step " - list of the system vulnerabilities that could be e!ercised by the potential threat-sources Ta,le 1- Potential (.lnera,ilities Ta,le (.lnera,ility Threat-So.rce Threat Action 3.1 Vulnerability Sources: 3.2 System Security Testing: 3.3 Security e!uirements "hec#list: STEP /: #$TR#* A$A*YSIS Output from Step # - $ist of current or planned controls used for the IT system to mitigate the li%elihood of a vulnerability being e!ercised and reduce the impact of such an adverse event $.1 "ontrol Methods: $.2 "ontrol "ategories: $.3 "ontrol Analysis Techni!ue: Page 1 6/8/2014 STEP 0: *I1E*I!##D DETERMI$ATI#$ Output from Step & - $i%elihood rating '(igh, )edium, $o*+ Ta,le % - *ikelihoo2 Definitions *ikelihoo2 *evel *ikelihoo2 Definition %igh The threat&source is highly motivated and sufficiently ca'able( and controls to 'revent the vulnerability from being e)ercised are ineffective. Medium The threat&source is motivated and ca'able( but controls are in 'lace that may im'ede successful e)ercise of the vulnerability. *o+ The threat&source lac#s motivation or ca'ability( or controls are in 'lace to 'revent( or at least significantly im'ede( the vulnerability from being e)ercised. STEP 3: IMPAT A$A*YSIS Output from Step , - )agnitude of impact '(igh, )edium, or $o*+ Ta,le ' - Magnit.2e of Impact Definitions Magnit.2e of Impact Impact Definition %igh ,)ercise of the vulnerability -1. may result in the highly costly loss of ma/or tangible assets or resources0 -2. may significantly violate( harm( or im'ede an organi1ation2s mission( re'utation( or interest0 or -3. may result in human death or serious in/ury. Medium ,)ercise of the vulnerability -1. may result in the costly loss of tangible assets or resources0 -2. may violate( harm( or im'ede an organi1ation2s mission( re'utation( or interest0 or -3. may result in human in/ury. *o+ ,)ercise of the vulnerability -1. may result in the loss of some tangible assets or resources or -2. may noticeably affect an organi1ation2s mission( re'utation( or interest. STEP 4: RIS1 DETERMI$ATI#$ Output from Step - - .is% level '(igh, )edium, $o*+ 3.1 is# *evel Matri): The 'robability assigned for each threat li#elihood level is 1.4 for %igh( 4.5 for Medium( 4.1 for *o+. The value assigned for each im'act level is 144 for %igh( 54 for Medium( and 14 for *o+. Ta,le / - Risk-*evel Matri5 Page 2 6/8/2014 Threat *i#elihood Im'act *o+ -14. Medium -54. %igh -144. %igh -1.4. *o+ 14 6 1.4 7 14 Medium 54 6 1.4 7 54 %igh 144 6 1.4 7 144 Medium -4.5. *o+ 14 6 4.5 7 5 Medium 54 6 4.5 7 25 Medium 144 6 4.5 7 54 *o+ -4.1. *o+ 14 6 4.1 7 1 *o+ 54 6 4.1 7 5 *o+ 144 6 4.1 7 14 is# Scale: %igh -854 to 144.0 Medium - 814 to 54.0 *o+ -1 to 14.999 ***If the level indicated on certain items is so low as to be deemed to be "negligible" or non significant (value is 1 on risk scale of 1 to 100), one may wish to hold these aside in a separate bucket in lieu of forwarding for management action !his will make sure that they are not overlooked when conducting the ne"t periodic risk assessment It also establishes a complete record of all risks identified in the analysis !hese risks may move to a new risk level on a reassessment due to a change in threat likelihood and#or impact and that is why it is critical that their identification not be lost in the e"ercise*** 7.2 Description of Risk Level: Ta,le 0 - Risk Scale an2 $ecessary Actions Risk *evel Risk Description an2 $ecessary Actions %igh If an observation or finding is evaluated as a high ris#( there is a strong need for corrective measures. An e)isting system may continue to o'erate( but a corrective action 'lan must be 'ut in 'lace as soon as 'ossible. Medium If an observation is rated as medium ris#( corrective actions are needed and a 'lan must be develo'ed to incor'orate these actions +ithin a reasonable 'eriod of time. *o+ If an observation is described as lo+ ris#( the system2s :AA must determine +hether corrective actions are still re!uired or decide to acce't the ris#. STEP 6: #$TR#* RE#MME$DATI#$S Output from Step / - .ecommendation of control's+ and alternative solutions to mitigate ris% Page 3 6/8/2014