What is a Risk Assessment?

A risk assessment is the results/process to determine the likelihood that a threat will exploit a weakness. Risk assessment is a part of the risk management.

What is risk management?

Risk Management is the on-going process of determining assessing, identifying and prioritizing of risks.

STEP of a RISK ASSESSMENT

This is a synopsis of NIST Special Publication 800-30. These are steps that should be a part of an IT risk management plan

Step 1 System Characterization

An organization must know all the parts of a new information system before the threats, vulnerabilities can be identified and impact (or harm) to the organization can be analyzed. System characterization includes the a list of the hardware, software, firmware and network diagram. System characterization also includes the operational environment that the system is in, any management, operational, technical controls implemented.

Additional features and methods of system characterization are described in 3.1 of NIST SP 800-30. The output looks a lot like a System Security Plan. NIST 800-18, Guide for Developing Security Plans for Federal Information Systems characterizes system in section 2.-System Boundary Analysis & Security Controls and section 3.- Plan Development.

Output from Step 1-Characterization of the IT system assessed, a good picture of the IT system environment, and delineation of system boundary

Step 2 Threat Identification

A threat is “the potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” A threat-source is “Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.” an adverse action or event that could exploit or trigger vulnerability. NIST identifies three “common threat-sources” Natural, Environmental, Human.

Common Threat-Sources
- Natural Threats—Floods, earthquakes, tornadoes,
landslides, avalanches, electrical storms, and other such
events.
- Human Threats—Events that are either enabled by or
caused by human beings, such as unintentional acts
(inadvertent data entry) or deliberate actions (network
based attacks, malicious software upload, unauthorized
access to confidential information).
- Environmental Threats—Long-term power failure,
pollution, chemicals, liquid leakage.

Sources of information include, but are not limited to, the following:
• Intelligence agencies (for example, the Federal Bureau of Investigation’s National Infrastructure Protection Center)
• Federal Computer Incident Response Center (FedCIRC)
• Mass media, particularly Web-based resources such as SecurityFocus.com, SecurityWatch.com, SecurityPortal.com, and SANS.org. – NIST 800-30

By addressing the motivation behind a potential attack, the capability of the event to occur, and the available resource of a potential attacker, an organization can have a better idea of the likelihood of real threat-sources.

Output from Step 2 – A threat statement containing a list of threat-sources that could exploit
system vulnerabilities

Step 3 Vulnerability Identification

A vulnerability is a weakness in a systems design, architecture, configuration etc that could be exploited. There are many ways to find vulnerabilities on a system. Federal systems have the Vulnerability Management System (VMS) and National Vulnerability Database which are databases with a breakdown of operating system, network, application vulnerabilities that can allow an organization to track vulnerabilities. Network vulnerability scans, security test & evaluations, interviews, questionnaires, POA&Ms, penetration tests and previous assessments are other methods of identifying vulnerabilities.

Step 4 Control Analysis

Control analysis consist of listing all controls that are planned and implemented. Actions to identify planned and implemented controls could include examining previous POA&Ms & system security plans on existing systems. On new systems the organization could examine nontechnical and technical controls to be implemented by using network scanners, scripts. For nontechnical controls, the organization could observe documentation addressing business/mission procedures and organization policies.

http://nvd.nist.gov/scap/docs/2008-conf-presentations/day2/mgt-80037-transformation-ross-092408.pdf

Step 5 Likelihood Determination
Likelihood determination is based on threat-source motivations, capability, and resources available combined with the nature of system vulnerabilities.

The organization creates likelihood levels and definitions for the development of qualitative determination.

Step 6 Impact Analysis
Impact analysis takes determination of the system mission, the system and data criticality/sensitivity. The organization should determine the adverse impacts of the loss of integrity, confidentiality, or availability.

The organization can give examples of quantitative assessments by introducing real profit loss as a result of impacts. The magnitude of impact/impact definition is represents a qualitative matrix above.

Output from Step 6-Magnitude of impact (High, Medium, or Low)

Step 7 Risk Determination
The risk determination consists of the likelihood of a given threat and the magnitude of the impact should a vulnerability be exploited/engaged by a threat-source. The output of this step is a Risk-Level Matrix. Threat likelihood and potential impacts are given a rating system.

Step 8 Control Recommendations
The goal of the control recommendation is to determine how the mitigate identified vulnerabilities to reduce risk to the system.
• Effectiveness of recommended options (e.g., system compatibility)
• Legislation and regulation
• Organizational policy
• Operational impact
• Safety and reliability

Step 9 Document findings
All the results of the risk assessment methodology must be documented. A Security Assessment Report (SAR) or risk assessment report captures data that will allow decision makers to make an inform decision on cost benefit for implementing controls.