Information Technology Services
Risk Assessment Methodology Overview
Many different approaches to risk assessment have been developed. These following guidelines provide a simple step-by-step process. Additional resources and methodologies are linked under Resources to help you establish an approach appropriate to your business environment.
General Guidelines for a Risk Assessment
- Establish the risk assessment team. The risk assessment team will be responsible for the collection, analysis, and reporting of the assessment results to management. It is important that all aspects of the activity work flow be represented on the team, including human resources, administrative processes, automated systems, and physical security.
- Set the scope of the project . The assessment team should identify at the outset the objective of the assessment project, department, or functional area to be assessed, the responsibilities of the members of the team, the personnel to be interviewed, the standards to be used, documentation to be reviewed, and operations to be observed.
- Identify assets covered by the assessment. Assets may include, but are not limited to, personnel, hardware, software, data (including classification of sensitivity and criticality), facilities, and current controls that safeguard those assets. It is key to identify all assets associated with the assessment project determined in the scope.
- Categorize potential losses. Identify the losses that could result from any type of damage to an asset. Losses may result from physical damage, denial of service, modification, unauthorized access, or disclosure. Losses may be intangible, such as the loss of the organizations' credibility.
- Identify threats and vulnerabilities. A threat is an event, process, activity, or action that exploits a vulnerability to attack an asset. Include natural threats, accidental threats, human accidental threats, and human malicious threats. These could include power failure, biological contamination or hazardous chemical spills, acts of nature, or hardware/software failure, data destruction or loss of integrity, sabotage, or theft or vandalism. A vulnerability is a weakness which a threat will exploit to attack the assets. Vulnerabilities can be identified by addressing the following in your data collection process: physical security, environment, system security, communications security, personnel security, plans, policies, procedures, management, support, etc.
- Identify existing controls. Controls are safeguards that reduce the probability that a threat will exploit a vulnerability to successfully attack an asset. Identify those safeguards that are currently implemented, and determine their effectiveness in the context of the current analysis.
- Analyze the data. In this phase, all the collected information will be used to determine the actual risks to the assets under consideration. A technique to analyze data includes preparing a list of assets and showing corresponding threats, type of loss, and vulnerability. Analysis of this data should include an assessment of the possible frequency of the potential loss.
- Determine cost-effective safeguards. Include in this assessment the implementation cost of the safeguard, the annual cost to operate the safeguard, and the life cycle of the safeguard.
- Report. The type of report to make depends on the audience to whom it is submitted. Typically, a simple report that is easy to read, and supported by detailed analysis, is more easily understood by individuals who may not be familiar with your organization. The report should include findings; a list of assets, threats, and vulnerabilities; a risk determination, recommended safeguards, and a cost benefit analysis.