66 2.6 Business Risk Assessment
Additional information could include functional requirements of an
asset, key users, security policies governing the asset (organizational poli-
cies, federal requirements, laws, industry practices), security architectures,
network topology, information storage protection safeguards, technical
controls (e.g., built-in or add-on security products that support identifica-
tion and authentication; discretionary or mandatory access control; audit;
residual information protection; and encryption methods), management
controls (e.g., rules of behavior, security planning), and operational controls
(e.g., personnel security, backup, contingency, and resumption and recovery
operations; system maintenance; offsite storage; user account establishment
and deletion procedures; and controls for segregation of user functions,
such as privileged user access versus standard user access). It is important to
include physical security environments in this process (e.g., facility security,
data center policies) and environmental security environments (e.g., con-
trols for humidity, water, power, pollution, temperature, and chemicals).
For an asset that is in the initiation or design phase, information can be
derived from the design or requirements documents. For an IT system
under development, it is necessary to define key security rules and attributes
planned for the future IT system. System design documents and the system
security plan can provide useful information about the security of an IT sys-
tem that is in development. For an operational IT system, data is collected
about the IT system in its production environment, including data on sys-
tem configuration, connectivity, and documented and undocumented pro-
cedures and practices. Therefore, the system description can be based on
the security provided by the underlying infrastructure or on future security
plans for the IT system.
2.6.2 Risk Benefit (Likelihood) Analysis Statement
The end result of the risk assessment should be a risk-benefit analysis (or
likelihood) statement giving the exact threats and the estimated exposure,
together with the contingency and mitigation actions required, and also the
benefits arising out of covering the risk. This statement should also delin-
eate any assumptions or constraints that exist. To derive an overall likeli-
hood rating that indicates the probability that a potential vulnerability may
be exercised within the construct of the associated threat environment, the
following governing factors must be considered:
Threat-source motivation and capability
Nature of the vulnerability
Existence and effectiveness of current controls