Risk Assessment program is designed to enable agencies to systematically identify, analyse and evaluate the risks by reviewing the control measures. Information Security risks include the possibility of business damage due to loss of confidentiality, integrity and availability of corporate data. O7Lab’s risk assessment service provides the basis to build or refine the most appropriate information security program for your organization.
In assessing risks for an IT system, the first step is to define the scope of the effort. In this step, the boundaries of the IT system are identified, along with the resources and the information that constitute the system. Characterizing an IT system establishes the scope of the risk assessment effort, delineates the operational authorization (or accreditation) boundaries, and provides information (e.g., hardware, software, system connectivity and responsible division or support personnel) essential to defining the risk. The methodology described can be applied to assessments of single or multiple, interrelated systems.
The potential of the threat source to exercise the specific vulnerability. A vulnerability is the weakness in the system that can be accidentally triggered or intentionally exploited. A threat source does not present a risk when there is no vulnerability that can exercised.
Once the plausible threats are identified, a vulnerability assessment will be performed. The vulnerability assessment considers the potential impact of loss after a successful attack as well as the vulnerability of the facility / location to an attack.
Analyze the controls that has been implemented or planned for implementation, by the organization to minimize or eliminate the likelihood of threats utilizing the system vulnerability.
To derive an overall likelihood rating that indicates the probability that a potential vulnerability maybe exercised within the construct of the associated threat environment, the following governing factors must be considered:
The next major step in measuring level of risk is by determining the adverse impact resulting from a successful threat exercise on a vulnerability. Before beginning the impact analysis, it is necessary to obtain the following necessary information:
The purpose of this step is to assess the level of risk to the IT system. The determination of risk for a threat / vulnerability pair can be expressed as a function of:
To measure risk, a risk scale and a risk-level matrix must be developed.
During this step, controls that could mitigate or eliminate the identified risks, as appropriate to organizations operations, are provided. The goal is to reduce the level of risk to the IT system and its data to an acceptable level. The following factors should be considered in recommending controls and alternative solutions to minimize or eliminate identified risks:
Once the risk assessment has been completed (threat-sources and vulnerabilities identified, risks assessed, and recommended controls provided), the results should be documented in an official report or briefing.
A risk assessment report is a management report that will help senior management, the mission owners, make decisions on policy, procedures, budget, and system operational and management changes. We address the threat/vulnerability observations in the risk assessment report.