Risk Assessment in IT System Development

Questions and Answers

What is the primary goal of characterizing an IT system?

• To determine the system's software applications
• To gather information about system users
• To identify the system's hardware components
• To establish the scope of the risk assessment effort (correct)

What is the purpose of identifying system-related information?

• To determine the system's software applications
• To gather information about system users
• To identify the system's hardware components
• To understand the system's processing environment (correct)

What is included in the system-related information for identifying risk?

• Only hardware and software components
• Hardware, software, system interfaces, data, and personnel (correct)
• Only personnel and system mission
• Only system interfaces and data

Why is it important to define the domain of interest and all interfaces and dependencies?

To apply the methodology to multiple, interrelated systems (D)

What is included in the operational environmental information of the IT system?

The functional requirements, users, and system security policies (D)

What is the purpose of identifying the system's mission?

To understand the system's purpose and importance (C)

Why is it important to understand system and data criticality?

To determine the system's value or importance to an organization (C)

What is the result of characterizing an IT system?

The scope of the risk assessment effort (C)

What is the primary purpose of risk assessment in an IT system?

To determine the extent of the potential threat and the risk associated with an IT system (D)

What is the relationship between the likelihood of a threat and the potential vulnerability of an IT system?

The likelihood of a threat is directly proportional to the potential vulnerability (D)

What is the primary factor that governs the level of impact of a threat exercising a vulnerability?

The potential mission impacts (C)

What is the output of the risk assessment process?

Appropriate controls for reducing or eliminating risk (C)

What is the correct sequence of steps in the risk assessment methodology?

System Characterization, Threat Identification, Vulnerability Identification, Control Analysis (C)

Which steps can be conducted in parallel after Step 1 has been completed?

Steps 2, 3, 4, and 6 (C)

What is the purpose of Step 1: System Characterization in the risk assessment methodology?

To define the scope of the effort (D)

How many primary steps are there in the risk assessment methodology?

9 (C)

Study Notes

Risk Assessment Methodology

• Risk assessment is the first process in the risk management methodology, determining the extent of potential threats and risks associated with an IT system throughout its SDLC.
• The output of this process helps identify appropriate controls for reducing or eliminating risk during the risk mitigation process.

Risk Factors

• Risk is a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.
• Likelihood of a future adverse event is determined by analyzing threats to an IT system in conjunction with potential vulnerabilities and controls in place.
• Impact refers to the magnitude of harm that could be caused by a threat's exercise of a vulnerability.

Risk Assessment Steps

• The risk assessment methodology encompasses nine primary steps:
  • Step 1: System Characterization
  • Step 2: Threat Identification
  • Step 3: Vulnerability Identification
  • Step 4: Control Analysis
  • Step 5: Likelihood Determination
  • Step 6: Impact Analysis
  • Step 7: Risk Determination
  • Step 8: Control Recommendations
  • Step 9: Results Documentation

System Characterization

• Step 1 defines the scope of the effort, identifying the boundaries of the IT system, resources, and information that constitute the system.
• Characterizing an IT system establishes the scope of the risk assessment effort, delineates the operational authorization (or accreditation) boundaries, and provides essential information.

System-Related Information

• Identifying risk for an IT system requires a keen understanding of the system's processing environment, including:
  • Hardware
  • Software
  • System interfaces (e.g., internal and external connectivity)
  • Data and information
  • Persons who support and use the IT system
  • System mission (e.g., the processes performed by the IT system)
  • System and data criticality (e.g., the system's value or importance to an organization)
  • System and data sensitivity
• Additional information related to the operational environment of the IT system and its data includes:
  • Functional requirements of the IT system
  • Users of the system (e.g., system users who provide technical support to the IT system; application users who use the IT system to perform business functions)
  • System security policies governing the IT system

Description

Learn about the risk assessment process in IT system development, including identifying potential threats and vulnerabilities, and implementing controls to mitigate risk.