Week 25: Completing the risk assessment -- steps nine and 10


Risk assessment is the process of analyzing threats to, and vulnerabilities of, an information system, and the potential impact that the loss of information or capabilities of a system would have on national security or your company's bottom line.

Using the

    Requires Free Membership to View

Information Security Protection Matrix and the risk assessment process referenced in the Week 20 column, break down the 10-step process, focusing this week on steps nine (estimate expected loss) and 10 (publish the report).

To compute expected loss, use the formula of threat plus vulnerability and likelihood versus consequence. To have risk, there must be a weakness and the potential to be harmed. For example, without password protection (vulnerability) and the existence of hackers (potential to cause harm), there is risk that data can be stolen.

The likelihood of an attack can be determined by looking at history (Does a person or group have a pattern of attempting to or successfully exploiting a specific vulnerability?), capability (Does a person or group have the capability and desire to pose the threat?) and intention/motivation (Does a person or group have the intention/motivation to exploit a vulnerability?).

Once the threat levels have been determined, quantify the vulnerability by asking if it's one or one of many; if it's difficult/costly to exploit; and whether the asset is being protected by security countermeasures. Also consider the likelihood of an attack and its probable consequences. Countermeasures can then be applied to those areas to reduce risk to an acceptable level. Note that even when safeguards are applied, there probably is going to be some residual risk.

Upon completing the assessment, leave a draft report with recommendations onsite and discuss items needing further research.

The report should include: a one- to two-page executive summary; a description of the organization and its operating environment; a short company profile; threats as defined by the organization; system descriptions; assumptions going into the survey; workflow diagrams; and a list of participants, including titles and phone numbers. Each vulnerability, including details about the flaw, the threat and risk, and any recommendations, should be discussed on its own page in the report.

Research any other information necessary for the final report, which should be completed and filed within two weeks. The draft and final reports are proprietary -- classify and mark them accordingly.

Those with government-specific considerations should maintain a copy of the risk assessment for record purposes and protected as appropriate. Specific findings will be classified as For Official Use Only (FOUO) or higher if warranted by the sensitivity of the asset or degree of vulnerability. Risk assessment or analysis contents may be released only as specifically authorized by the DAA, ISSM or cognizant ISSM/NSM.

More information
NIST offers the Security Self-Assessment Guide, NIST SP 800-26, located on its Web site. It uses questionnaires with specific control objectives and techniques to test an unclassified system or group of interconnected systems.

About the author
Shelly Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:securityplanner@infosecuritymag.com.

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.

Last week: Identify current countermeasures and estimate likelihood of exploitation
Next week: Contingency planning

This was first published in June 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.