IT Examiner School, Providence, RI

Risk Assessment Process

Identify and value sensitivity of information assets.

Identify potential internal/ external threats and/or vulnerabilities (aka risks)

Rank likelihood and impact of threats and/or vulnerabilities.

Assess sufficiency of risk control policies, procedures, information systems, etc.

What Risks….?

• Anything that could compromise the security of an asset by exploiting a vulnerability is considered a risk – Threat to data and systems supporting mission statement • Threats are events that are designed to do harm to the confidentiality, integrity, or availability of information or information systems – Intentionally (maliciously) or unintentionally • Determine (identify) what data and systems should be protected – Not all systems require equal protection – What level of resources should be applied to protect them? • Impact – What would it cost if were lost? – Cost per hour x hours to recovery