Risk Assessment in IT System Development

Questions and Answers

PDF Questions PDF Answers

What is the primary goal of characterizing an IT system?

To determine the system's software applications

To gather information about system users

To identify the system's hardware components

To establish the scope of the risk assessment effort (correct)

What is the purpose of identifying system-related information?

To determine the system's software applications

To gather information about system users

To identify the system's hardware components

To understand the system's processing environment (correct)

What is included in the system-related information for identifying risk?

Only hardware and software components

Hardware, software, system interfaces, data, and personnel (correct)

Only personnel and system mission

Only system interfaces and data

Why is it important to define the domain of interest and all interfaces and dependencies?

To apply the methodology to multiple, interrelated systems

What is included in the operational environmental information of the IT system?

The functional requirements, users, and system security policies

What is the purpose of identifying the system's mission?

To understand the system's purpose and importance

Why is it important to understand system and data criticality?

To determine the system's value or importance to an organization

What is the result of characterizing an IT system?

The scope of the risk assessment effort

What is the primary purpose of risk assessment in an IT system?

To determine the extent of the potential threat and the risk associated with an IT system

What is the relationship between the likelihood of a threat and the potential vulnerability of an IT system?

The likelihood of a threat is directly proportional to the potential vulnerability

What is the primary factor that governs the level of impact of a threat exercising a vulnerability?

The potential mission impacts

What is the output of the risk assessment process?

Appropriate controls for reducing or eliminating risk

What is the correct sequence of steps in the risk assessment methodology?

System Characterization, Threat Identification, Vulnerability Identification, Control Analysis

Which steps can be conducted in parallel after Step 1 has been completed?

Steps 2, 3, 4, and 6

What is the purpose of Step 1: System Characterization in the risk assessment methodology?

To define the scope of the effort

How many primary steps are there in the risk assessment methodology?

9

Study Notes

Risk Assessment Methodology

• Risk assessment is the first process in the risk management methodology, determining the extent of potential threats and risks associated with an IT system throughout its SDLC.
• The output of this process helps identify appropriate controls for reducing or eliminating risk during the risk mitigation process.

Risk Factors

• Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
• Likelihood of a future adverse event is determined by analyzing threats to an IT system in conjunction with potential vulnerabilities and controls in place.
• Impact refers to the magnitude of harm that could be caused by a threat's exercise of a vulnerability.

Risk Assessment Steps

• The risk assessment methodology encompasses nine primary steps:
  • Step 1: System Characterization
  • Step 2: Threat Identification
  • Step 3: Vulnerability Identification
  • Step 4: Control Analysis
  • Step 5: Likelihood Determination
  • Step 6: Impact Analysis
  • Step 7: Risk Determination
  • Step 8: Control Recommendations
  • Step 9: Results Documentation

System Characterization

• Step 1 defines the scope of the effort, identifying the boundaries of the IT system, resources, and information that constitute the system.
• Characterizing an IT system establishes the scope of the risk assessment effort, delineates the operational authorization (or accreditation) boundaries, and provides essential information.

System-Related Information

• Identifying risk for an IT system requires a keen understanding of the system's processing environment, including:
  • Hardware
  • Software
  • System interfaces (e.g., internal and external connectivity)
  • Data and information
  • Persons who support and use the IT system
  • System mission (e.g., the processes performed by the IT system)
  • System and data criticality (e.g., the system's value or importance to an organization)
  • System and data sensitivity
• Additional information related to the operational environment of the IT system and its data includes:
  • Functional requirements of the IT system
  • Users of the system (e.g., system users who provide technical support to the IT system; application users who use the IT system to perform business functions)
  • System security policies governing the IT system

Description

Learn about the risk assessment process in IT system development, including identifying potential threats and vulnerabilities, and implementing controls to mitigate risk.