Risk Assessment System Evaluation Steps

Step 3 in the recommended risk assessment process is "Evaluate the system". This page expands on that step.

Risk Assessment System Evaluation Assessment steps include the following:

  1. Planning - Prepare a checklist of questions and items related to computer for the project including overall system concerns, concerns specific to the servers, the application, the data, and the users. Determine what organizational policies apply to the project.
  2. Conduct interviews and have meetings with business owners and other appropriate business and technical experts to:
    • Discuss the checklist and answer all possible questions.
    • Determine and document all parts of the system.
    • Determine system and data criticality.
    • Identify current controls.
    • Learn about past incidents.
    • Determine system compliance with current standards.
    • Determine applicable laws and compliance with those laws.
  3. Have daily meetings of the assessment team to determine other experts to interview and pool information gathered.
  4. Consider threat scenerios to the business activities or assets including information assets relative to the systems involved. Ask questions that relate to:
    • How these threat scenarios are dealt with.
    • How the business depends on specific systems and data.
    • Business processes, policies, and procedures that cover threat related issues.
    Some question categories include:
    • System need/value
    • Data confidentiality, integrity, and availability
    • Inventory the parts and interfaces of the system to determine data paths and extent of assessment.
    • Authorization process - Number of users accessing from organizational network, home, other business, internet, contractor sites, other. Number of administrators of the following types: system, database, application, account, tech support, developers, and security administrators.
    • Authentication process
    • Existing system policies and procedures
    • Disaster recovery
    • Auditing
    • Physical security
    • Incident response
    • Incident detection
    • Configuration and configuration management
    • Are proper policies and plans in place?
    • How is information classified?
    • How is information stored relative to the classification?
    • How is information handled and transmitted relative to the classification?
    • How is information disposed of?
    • What access controls are used to prevent unauthorized data disclosure or modification?
    • Is there confidential information sent through email or physical mail?
    • How are FAXes used?
    • Use of transmitted and stored video.
    • Use of voice.
    • What are the system security needs? Are there any special needs?
    • Are there any security needs of the network that may be affected by the new system? How does the new system affect the network? Since system evaluation is a system security assessment, see the Security Assessment section for more questions relating to data, user information, access controls, system information, and application information. See Organizational Threats in the Disaster Recovery section for more information about threats and see Computer Security Threats for more information about the types of attacks and threats to computer security.

Data Evaluation

One of the most important parts of evaluating the system is evaluating the data that is stored or processed on the system. The security needs of the data will be instrumental in determining the security needs of the associated system. Evaluation of data is described at