Implementing a Best Practice Risk Assessment Methodology E-Book

Impressum:

Copyright (c) 2015 GRIN Verlag / Open Publishing GmbH, alle Inhalte urheberrechtlich geschützt. Kopieren und verbreiten nur mit Genehmigung des Verlags.

Bei GRIN macht sich Ihr Wissen bezahlt! Wir veröffentlichen kostenlos Ihre Haus-, Bachelor- und Masterarbeiten.

Jetzt beiwww.grin.com

Table of Contents

I. Overview

II. Scope

III. About the author

1 Introduction

2 Risk management

2.1 Framing risk

2.2 Assessing risk

2.2.1 Risk assessment process

2.2.2 Risk models

2.2.3 Risk assessment approaches

2.2.4 Risk analysis approaches

2.3 Responding to risk

2.4 Monitoring risk

3 Preparing for the risk assessment

3.1 Purpose

3.2 Scope

3.3 Assumptions

3.4 Information sources

3.5 Roles and Responsibilities

4 Conducting the risk assessment

4.1 Risk assessment scope

4.2 Risk Assessment Process

4.2.1 Collect information

4.2.2 Identify systems or processes at risk

4.2.3 Evaluate the likelihood of harm occurring

4.2.4 Evaluate the impact

4.2.5 Determine risk for the item

4.2.6 Investigate options for eliminating or controlling risks

4.2.7 Prioritize action and decide on control measures

4.2.8 Implement controls

4.2.9 Measure the effectiveness of implemented actions

4.3 Assessing risks at organizational level

4.4 Assessing risks at the business process level

4.5 Assessing risks at the information system tier

4.6 Communicating risk information

I. Overview

Implementing a best practice risk assessment involves a risk assessment methodology describing how to perform Information Technology risk assessments. Risk assessments play a critical role in the development and implementation of effective information security programs and help address a range of security related issues from advanced persistent threats to supply chain concerns.

The results of risk assessments are used to develop specific courses of action that can provide effective response measures to the identified risks as part of a broad-based risk management process.

The guidance provided here uses the key risk factors of threats, vulnerabilities, impact to missions and business operations, and the likelihood of threat exploitation of weaknesses in information systems and environments of operation, to help senior leaders and executives understand and assess the current information security risks to information technology infrastructure. The risk assessment guidance has been designed to have maximum flexibility so the process can meet the needs of many types of companies.

The risk assessment guidance is consistent with the process for managing information security risk described in NIST Special Publication 800-39 that includes framing risk, assessing risk, responding to risk and monitoring risk over time risks to the organization’s operations (including missions, functions, image, and reputation), the organization’s critical assets, individuals who are part of the organization or who the organization serves, other entities involved in partnerships or collaborative efforts with the organization, and the Nation at large (including critical infrastructure). The guidance also supports a three-tier (Tier 1 - organization level, Tier 2 - mission/business process level, and Tier 3 - information system level) enterprise-wide risk management approach which focuses on the organization’s governance structures; the organization’s core missions/business functions, mission/business processes, and enterprise architecture; and the organization’s information systems that are essential for mission/business success. Copies of Special Publication 800-30, Revision 1, can be obtained from the NIST Computer Security Division web site at: http://csrc.nist.gov/publications.