Risk is based on a systematic examination of assets, threats, and vulnerabilities that provides the foundation for the development of an appropriate IT Security Program.  Adequate risk analysis is the key to determining the level of protection required for all computing assets such as networks, applications, systems, facilities and other enterprise assets.  A risk analysis will:

• Identify dependence on existing IT assets.
• Identify vulnerabilities of existing IT assets.
• Assess the probabilities of threats occurring to existing IT assets.
• Determine the impact of losses if they do occur.
• Identify the value of safeguards or countermeasures designed to reduce the threats and vulnerabilities to an acceptable level.

Identify dependence on existing IT Assets. Identify vulnerabilities of existing IT  Assets. Assess the probabilities of threats occurring to existing IT assets. Determine the impact of losses if they do occur. Identify the value of safeguards or countermeasures designed to reduce the threats and vulnerabilities to an acceptable level.

The goal of the risk analysis process is to determine an acceptable level of risk that considers security, the security of shared resources business strategy and the overall cost of countermeasures.  Conducting an adequate risk analysis will aid efforts to better apply available resources to their security program.

To conduct a risk analysis, Organizations shall complete the following steps:

A.   Information Asset Review

An information asset review shall be performed to identify, at a minimum, those information assets that are critical to ongoing operations or which contain confidential or critical data.  The criteria for this inventory assessment shall be documented.

B.   Business Impact Analysis

A business impact analysis shall be performed for all information assets identified in the Information Asset Review.  The purpose of the business impact analysis is to document the potential impact of loss of the assets.  Consideration shall be given to operational, financial, and legal impacts.

C.   Vulnerability Analysis

A vulnerability analysis is used to identify vulnerabilities associated with information assets.  The vulnerability analysis shall identify specific vulnerabilities related to information assets identified in the information asset review, as well as where those vulnerabilities exist.

D.   Threat Analysis

A threat analysis shall be conducted to identify threats that could result in the intentional or accidental destruction, modification or release of data, computer, or telecommunication resources.

E.   Risk Analysis

A risk analysis is a collective review of the vulnerabilities and threats to all identified assets to determine the likelihood and impact.  This analysis forms the foundation for security program planning.

While no specific format is required for the risk analysis, instructions and suggested formats, as well as links to risk analysis resources, can be found in the Information Technology Security Guidelines.  Organizations may also consider leveraging disaster recovery reviews, specifically relating to critical assets and business impact, when completing IT security risk assessments.

www.bestitdocuments.com