Information System Security Risk Assessment Guidelines

Risk assessment is the first process in risk management.  Risk assessment are used to determine the extent of the potential threat and the risk associated with its information systems. The output of this process helps to identify appropriate controls for reducing or eliminating risk.

The risk assessment process consists of a number of steps. The method described in the following sections can be applied to a single system or multiple interrelated systems.  The first step is to identify the purpose and scope of the risk assessment to be performed.

1.1  Purpose and Scope

Determine the risk assessment purpose and scope. This establishes the extent of the assessment to be performed.  Identify the system components, field site locations (if any), and any other details about the information system to be considered.

Once you have identified the purpose and scope, the next step is to identify the risk assessment approach

1.2  Risk Assessment Approach

Determine the approach used to conduct the risk assessment, including:

  • The participants (e.g., risk assessment team members)
  • The technique used to gather information (e.g., the use of tools, questionnaires)
  • The development and description of risk scale and risk-level matrix.

To measure risk, you must develop a risk-level matrix.  The matrix uses threat impact and threat likelihood to obtain a risk level.  Generally a three by three matrix is used, with a threat impact of high, medium, and low, and a threat likelihood of high, medium, and low.  Likelihood and impact values are assigned a numerical rating.  The combination of likelihood x impact produces a risk-level value, as shown below:

Overall Risk Rating

Risk Likelihood

Risk Impact

Low

(10)

Moderate

(50)

High

(100)

High

(1.0)

Low

10 x 1.0 = 10

Moderate

50 x 1.0 = 50

High

100 x 1.0 = 100

Moderate

(0.5)

Low

10 x .05 = 5

Moderate

50 x 0.5 = 25

Moderate

100 x 0.5 = 50

Low

(0.1)

Low

10 x 0.1 = 1

Low

50 x 0.1 = 5

Low

100 x 0.1 = 10

The above table is a simple matrix that shows how to determine the risk

Level based upon the threat impact and the threat likelihood.

Example:  For a High likelihood (1.0) and Medium impact (50) threat, the risk level is 1 x 50 = 50 = Medium risk.

If necessary, a four by four or five by five  matrix may be used, that includes the values “very high” and/or “very low” in the risk scale.  Once you have established the risk assessment approach and risk matrix, the next step is system characterization.

1.3  System Characterization

Identify the specific system components.  System components should include:  Hardware (server, router, switch), Software (e.g., application, operating system, protocol),  System interfaces (e.g., communication link),   Data, and  • Users.

 Provide a connectivity diagram or system flowchart to define the scope of the risk assessment effort. When you have identified the system, the next step is to list the potential system threats.

 1.4  Threat Identification

Identify the potential threat-sources and compile a threat statement listing potential threat-sources that are applicable to the IT system being evaluated. A threat is an individual or activity with the potential to cause harm to the system.  A threat-source is the intent or situation, and method that may trigger the threat.  Compile and list the potential threat-sources that apply to the system assessed

Natural

Human

Environmental

Flood Hacker Power failure
Earthquake Computer Criminal Pollution
Electrical Storm Terrorist Chemicals
Avalanche Industrial Espionage Leakage
Tornado Insiders (employees) Electrical Fire

1.5  Vulnerability Indication

Develop a list of system vulnerabilities (flaws or weaknesses) that could be exploited by the potential threat-sources. A threat is an individual or activity with the potential to cause harm to the system.  A threat-source is the intent or situation, and method that may trigger the threat.  Compile and list the potential threat-sources that apply to the system assessed 

Identified Vulnerabilities

Threat Source

Vulnerability

Threat Action

Terminated employees.  Terminated employees’ system identifiers (ID) are not removed from the system Dialing into the company’s network and accessing company proprietary data.
Unauthorized users (e.g., hackers, terminated employees, computer criminals, terrorists). Company firewall allows inbound telnet, and guest ID is enabled on XYZ server. Using telnet to XYZ server and browsing system files with the guest ID.
Unauthorized users (e.g., hackers, disgruntled employees, computer criminals, terrorists). The vendor has identified flaws in the security design of the system; however, new patches have not been applied to the system. Obtaining unauthorized access to sensitive system files based on known system vulnerabilities.
Fire, negligent persons Data center uses water sprinklers to suppress fire; tarpaulins to protect hardware and equipment from water damage are not in place. Obtaining unauthorized access to sensitive system files based on known system vulnerabilities.

1.6  Controls Analysis

Analyze the controls that have been implemented, or are planned for implementation, by the organization to minimize or eliminate the likelihood (or probability) of a threat’s exercising a system vulnerability. 

Security Controls

Risk Management

Control Area

In-Place/

Planned

Description of Control

IT Security Roles & Responsibilities
Business Impact Analysis
IT System & Data Sensitivity Classification
IT System Inventory & Definition
Risk Assessment
IT Security Audits

Contingency Planning

Control Area

In-Place/

Planned

Description of Control

Continuity ofOperationsPlanning
IT DisasterRecoveryPlanning
IT System &Data Backup &Restoration

IT Systems Security

Control Area

In-Place/

Planned

Description of Control

IT SystemHardening
IT SystemsInteroperabilitySecurity
Malicious CodeProtection
IT SystemsDevelopmentLife CycleSecurity

Logical Access Controls

Control Area

In-Place/

Planned

Description of Control

Account Management
Password Management
Remote Access

Data Protection

Control Area

In-Place/

Planned

Description of Control

Data Storage Media Protection
Encryption

Facilities Security

Control Area

In-Place/

Planned

Description of Control

Facilities Security

Personnel Security

Control Area

In-Place/

Planned

Description of Control

Access Determination & Control
IT Security Awareness & Training
Acceptable Use

Threat Management

Control Area

In-Place/

Planned

Description of Control

Threat Detection
Incident Handling
Security Monitoring & Logging

IT Asset Management

Control Area

In-Place/

Planned

Description of Control

IT Asset Control
Software License Management
Configuration Management & Change Control

1.7  Risk Assessment

During the risk assessment, the assessment team evaluates the threat-vulnerability pairs identified for the system.  The assessment team evaluates the threat-vulnerability pairs in terms of likelihood and impact.  A risk-level value is assigned for the pair using the established risk-level matrix.  This evaluation will result in the risk level for the system.

The assessment team observations should be summarized in a table.  Each observation must include the following information:

  • A brief description of observation (e.g., Observation 1: User system passwords can be guessed or cracked).
  • The threat-source and vulnerability pair.
  • Existing mitigating security controls.
  • Threat likelihood evaluation (e.g., High, Medium, or Low).
  • Threat impact evaluation (e.g., High, Medium, or Low).
  • Risk rating based on the established risk-level matrix (e.g., High, Medium, or Low).
  • Recommended controls or alternative options for reducing the risk.

The assessment results should be ordered by risk level, i.e. high, medium, and then low risk items.  Within the risk level, the items with the greatest impact should be listed first.

1.7.1       Likelihood Determination

An overall likelihood rating that indicates the probability that a potential vulnerability may be exercised within the construct of the associated threat environment.

Risk Likelihood Definition

Effectiveness of Controls

Probability of Threat Occurrence (Natural or Environmental Threats) or Threat Motivation and Capability (Human Threats)

Low

Moderate

High

Low

Moderate

High

High

Moderate

Low

Moderate

High

High

Low

Low

Moderate

Risk Likelihood

Risk No.

Risk Summary

Evaluation of Likelihood

Rating

1

1.7.2       Impact Analysis

State the adverse impact resulting from a successful threat exercise of vulnerability.

Impact Rating Definition

Magnitude

Impact definition

High

Occurrence of the risk:

  1. may result in human death or serious injury;
  2. may result in the loss of major University tangible assets, resources or sensitive data; or
  3. may significantly harm, or impede the University’s or departments mission, reputation, or interest.

Moderate

Occurrence of the risk:

  1. may result in human injury;
  2. may result in the costly loss of University tangible assets or resources; or
  3. may violate, harm, or impede the University’s or departments mission, reputation, or interest.

Low

Occurrence of the risk:

  1. may result in the loss of some tangible Uniersity  assets or resources or
  2. may noticeably affect the University’s or departments mission, reputation, or interest.

 

Impact Analysis

Risk No.

Risk Summary

Impact

Rating

1

1.7.3       Risk Determination

Determine the level of risk to the IT system.

Overall Risk Rating

Risk Likelihood

Risk Impact

Low

(10)

Moderate

(50)

High

(100)

High

(1.0)

Low

10 x 1.0 = 10

Moderate

50 x 1.0 = 50

High

100 x 1.0 = 100

Moderate

(0.5)

Low

10 x .05 = 5

Moderate

50 x 0.5 = 25

Moderate

100 x 0.5 = 50

Low

(0.1)

Low

10 x 0.1 = 1

Low

50 x 0.1 = 5

Low

100 x 0.1 = 10

 

Overall Risk Rating

Risk No.

Risk Summary

Likelihood

Impact

Overall

1.7.4       Control Recommendations

Reduce the level of risk to the IT system and its data to an acceptable level. 

Risk No.

Risk Summary

Recommendation

1

2

3

1.7.5       Risk Assessment Summary

 Combining all of these into a single table to consolidate the findings. 

ObservationDescription Threat Source Vulnerability Existing Controls Likeli-hood Impact Risk Level Recommended Controls
               
               
               
               
               
               
               

 Once you have completed the assessment, document the results in a report.  Management will use the report to make decisions on policy, system, and management changes.  Management can then allocate the necessary resources to mitigate risks to the information system.