Risk Assessment Activities

A related document is the NIST standard, SP800-30, which discusses risk management related to the system development life cycle (SDLC). This document is recommended reading for those who perform risk assessments or work with risk management. The NIST standard SP800-30 breaks out risk assessment activities as shown below.

Risk Assessment Activities

  1. Characterize the system - define boundaries, resources, and information that make up the system
    • Consider:
      • Hardware.
      • Software
      • System interfaces
      • Data and information
      • People
      • System mission
    • Create
      • System boundaries
      • System functions
      • System and data criticality
      • System and data sensitivity
  2. Identify threats
    • Consider
      • History of system attack
      • Data from intelligence agencies NIPC, OIG, FedCIRC, mass media
    • Create
      • Threat statement
  3. Identify vulnerabilities
    • Consider
      • Reports from prior risk assessments
      • Any audit comments
      • Security requirements
      • Security test results
    • Create
      • List of potential vulnerabilities
  4. Control analysis
    • Consider
      • Current controls
      • Planned controls
    • Create
      • List of current and planned controls
  5. Likelihood determination
    • Consider
      • Threat source motivation
      • Threat capacity
      • Nature of vulnerability
      • Current controls
    • Create
      • Likelihood rating
  6. Impact analysis - Determine damage from threat materialization.
    • Consider
      • Mission impact analysis
      • Asset criticality assessment
      • Data criticality
      • Data sensitivity
    • Create
      • Impact rating
  7. Risk determination
    • Consider
      • Likelihood of threat exploitation
      • Magnitude of impact
      • Adequacy of planned or current controls
    • Create
      • Risks and associated risk levels
  8. Control recommendations
    • Create
      • Recommended controls
  9. Results documentation
    • Create
      • Risk assessment report