IT Examiner School, Seaside, CA

Risk Assessment Process

Identify and value

sensitivity of information

assets.

Identify potential internal/

external threats and/or

vulnerabilities (aka risks)

Rank likelihood and impact

of threats and/or

vulnerabilities.

Assess sufficiency of risk

control policies,

procedures, information

systems, etc.

What Risks….?

• Anything that could compromise the security of an asset by exploiting a vulnerability is considered a risk – Threat to data and systems supporting mission statement • Threats are events that are designed to do harm to the confidentiality, integrity, or availability of information or information systems – Intentionally (maliciously) or unintentionally • Determine (identify) what data and systems should be protected – Not all systems require equal protection – What level of resources should be applied to protect them? • Impact – What would it cost if were lost? – Cost per hour x hours to recovery