To determine the likelihood of a future adverse event, threats to an infor-
mation technology system must be analyzed together with the potential
vulnerabilities and the current controls implemented for the information
technology (IT) system. Impact refers to the magnitude of harm that could be
caused by a threat’s exploitation of a vulnerability. The risk assessment process
is broken down into nine subprocesses:
1. Information Technology System Characterization
2. Threat Assessment
3. Vulnerability Assessment
4. Control Identification
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Documentation of Results
Information Technology System Characterization
In identifying risks for an information technology system, the first step is to
define the scope of the system and the business processes it supports. The
boundaries of the IT system are identified, along with the resources and the
information that comprise the system. In the process of characterizing an IT
system, certain data elements must be defined, notably:
Hardware and software utilized
System interfaces
Data and information
User community
Support personnel
System purpose
Dependent processes
Data sensitivity
System criticality
All of these elements are essential to defining risk.
Most information technology systems do not operate independently; there-
fore, it is necessary to collect information about the IT environment such as
Security policies and procedures governing the IT environment
System security architecture
Current network topology (e.g., ingress and egress points)
Information Technology Risk Management 139
Data backup and restoration processes (e.g., data backup schedules
and methods, off-site storage of tape backup media, and periodic
integrity testing of tape backup media)
System interface mappings
Data encryption methods
Authentication requirements (e.g., username and password require-
ments and hardware authentication devices)
Physical security environment for systems (e.g., physical locks, key
cards, and visitor access logs)
Environmental protection for systems (e.g., fire suppression, temper-
ature controls, and humidity controls)
Categorizing an information technology system depends on which phase of
the systems development life cycle (SDLC) the system is currently in. The SDLC
is comprised of five steps:
1. Initiation and design—The need for an information technology
system is expressed and the purpose and scope of the system are
2. Development or Acquisition—The information technology system
is designed, purchased, programmed, developed, or otherwise
3. Implementation—The system security features are configured,
enabled, tested, and verified.
4. Operation—The system performs its functions. Typically, the system
is being modified on an ongoing basis through the addition of hard-
ware and software and by changes to organizational processes, poli-
cies, and procedures.
5. Disposal—This phase may involve the disposition of information,
hardware, and software. Activities may include moving, archiving, dis-
carding, or destroying information and sanitizing the hardware and
For systems that are in the initiation and design phase, system information
can be derived from the design or requirements document. For information
technology systems currently under development or acquisition, it is impera-
tive to design key security rules and attributes planned for the systems. System
design documents and the system security plan can provide useful information
about the security of an IT system that is in development. For operational IT
systems, data can be collected about the systems in their production environ-
ment, including data on system configurations, connectivity, and the policies
and procedures that govern the IT systems.
140 Strategic Security Management

Get Strategic Security Management now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.