IT Examiner School, Seaside, CA

Identify Vulnerabilities

Weaknesses in a system or controls, which include: Software, hardware, physical, and administrative weaknesses ❖ Anything that can be exploited for gain!

Software Vulnerabilities • Programming errors Hardware Vulnerabilities

• Device failure • Power failure Physical Vulnerabilities • Unrestricted facility access

• Lack of fire/flood controls/HVAC • Location (crime, regional, weather) Administrative Vulnerabilities • Antivirus software not kept up-to-date

• Vendor patches not installed • Unnecessary services running • Configuration (user) error • Personnel policies

Risk Assessment Process

Identify and value

sensitivity of information

assets.

Identify potential internal/

external threats and/or

vulnerabilities.

Rank likelihood and impact

of threats and/or

vulnerabilities.

Assess sufficiency of risk

control policies,

procedures, information

systems, etc.