Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat associated with a specific risk. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process.
Risk is a function of the likelihood of a given threat-source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
To determine the likelihood of a future adverse event, threats to an organization must be analyzed in conjunction with the potential vulnerabilities and the controls in place. Impact refers to the magnitude of harm that could be caused by a threat’s exercise of a vulnerability. The level of impact is governed by the potential mission impacts and in turn produces a relative value for the assets and resources affected (e.g., the criticality and sensitivity of the business system components and data). The risk assessment methodology described in this practice encompasses nine steps.
This practice is in effect a methodology for conducting risk assessments. Therefore, rather than showing the traditional workbench used in other ICI practices, this practice will be illustrated as a methodology flowchart.
The implementation of this practice involves the following nine steps.
System Characterization,Threat Identification,Vulnerability Identification, Control AnaResults Documentationlysis, Likelihood Determination, Impact Analysis, Risk Determination, Control Recommendations.
This practice is specifically detailed and described in a document containing 19 pages.
