Professional Documents
Culture Documents
The risk assessment methodology encompasses nine primary steps, which are described
below:
• Step 1: System Characterization
• Step 2: Threat Identification
• Step 3: Vulnerability Identification
• Step 4: Control Analysis
• Step 5: Likelihood Determination
• Step 6: Impact Analysis
• Step 7: Risk Determination
• Step 8: Control Recommendations
• Step 9: Results Documentation
STEP 1: SYSTEM CHARACTERIZATION
In this step, the boundaries of the IT system, resources and the information that constitute the system are
identified.
Identifying risk for an IT system requires a strong understanding of the system’s processing environment. The
person or persons who conduct the risk assessment must therefore first collect system-related information, which
is usually classified as follows:
• Hardware
• Software
• System interfaces (e.g., internal and external connectivity)
• Data and information
• Persons who support and use the IT system
• System and data criticality (e.g., the system’s value or importance to an organization)
• System and data sensitivity.
STEP 1: SYSTEM CHARACTERIZATION
Company firewall allows inbound Unauthorized users (e.g. Using telnet to XYZ server
telnet, and guest ID is enabled on XYZ hackers, terminated and browsing system files
server employees, computer with the guest ID
criminals, terrorists)
Data center uses water sprinklers to Fire, negligent persons Water sprinklers being
suppress fire. turned on in the data center
STEP 3: VULNERABILITY
IDENTIFICATION
Output from Step 3
A list of the system vulnerabilities that could be exercised by the potential threat-sources
STEP 4: CONTROL ANALYSIS
Based on the risk levels presented in the risk assessment report, the
implementation actions are ranked. In allocating resources, top
priority should be given to risk items with unacceptably high risk
rankings. These vulnerability/threat will require immediate
corrective action to protect an organization’s interest and mission.
Output from Step 1 Actions ranking from High to Low
Step 2-Evaluate Recommended Control
Options
The controls recommended in the risk assessment process may not
be the most appropriate and feasible options for a specific
organization and IT system.
During this step, the feasibility and effectiveness (e.g.,
compatibility, user acceptance) of the recommended control
options are analyzed.
The objective is to select the most appropriate control option for
minimizing risk.
Output from Step 2-List of feasible controls
Step 3-Conduct Cost-Benefit Analysis