Week 3: Risk Assessment
SP 800-30 : Nine Steps
1. System Characterization 2. Threat Identification 3. Vulnerability Identification 4. Control Analysis 5. Likelihood Determination 6. Impact Analysis 7. Risk Determination 8. Control Recommendations 9. Results Documentation
risk assessment -- analysis
analysis includes - valuation of assets - identification of threats to those assets - assessment of vulnerabilities in controls protecting these assets against identified threats - calculation of risks - identification of cost-effective controls to mitigate risks
System Characterization
define scope of effort; boundaries of the IT system are identified, along with the resources and the info that constitutes the system characterizing an IT system establishes the scope of the risk assessment effort, delineates the operational authorization boundaries, and provides info essential to defining risk
Impact Analysis
determine the adverse impact resulting from a successful threat exercise of a vulnerability; must obtain the following necessary info: - system mission - system & data criticality / data sensitivity impact of security event is summed up as loss/degradation of CIA
Vulnerability Identification
develop list of system vulnerabilities that could be exploited by the potential threat-sources - vulnerability pairings - sources - system security testing - development of security requirements checklist
Threat Identification
identify potential threat sources & compile a threat statement listing potential threat-sources that are applicable to the IT system being evaluated - source, motivation and actions, statement
risk assessment - aspects
level of effort - must fit situation realistic and aligned - must provide a realistic and concise picture of what needs to be protected; integrated into overall RMF process; risk assessments serve as mechanism to refine minimum baseline controls to fit the needs of the system relationship - between system assets, threats, and vulnerabilities is used to tailor controls results - must identify and justify risks that should be accepted
Results Documentation
results should be documented in an official report or briefing
Risk Determination
risk levels - high: there will be a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible - medium: corrective actions are needed and a plan must be developed to incorporate those actions within a reasonable period of time - low: system's DAA must determine whether corrective actions are still required or decide to accept the risk
Likelihood Determination
to derive an overall likelihood rating that indicates the probability that a potential vulnerability may be exercised within the construct of the associated threat environment, the following governing factors must be considered: - threat-source motivation and capability - nature of vulnerability - existence/effectiveness of current controls the likelihood of a vulnerability can be described as high, medium, or low
risk assessment report
a management report that help senior management, the mission owners, make decisions on policy, procedural, budget, and system operational and management changes
Control Analysis
analyze the controls that have been implemented, or are planned for implementation by the organization to minimize or eliminate the likelihood of a threat exercising a system vulnerability - control methods - control categories - control analysis techniques
risk assessment
involves the systematic identification and prioritization of risks to information technology resources
Control Recommendations
reduce level of risk to the IT system and its data to an acceptable level control recommendations are the result of the risk assessment process and provide input to the risk mitigation process, during which the recommended procedural and technical security controls are evaluated, prioritized, and implemented
