Risk Management Guide for Information Technology Systems

Risk Management Guide for Information Technology Systems

The National Institute of Standards and Technology calculates risk by analyzing the system vulnerabilities along with the controls for it. In this context, the Impact means the amount of harm that a threat can cause to the vulnerability of such system. The NIST uses a 9 step process in order to calculate the risk of threats. These steps include System Characterization, Threat Identification, Vulnerability Identification, Control Analysis, Likelihood Determination, Impact Analysis, Risk Determination, Control Recommendations, and Results Documentation. It is a lot of steps but take in consideration that steps 2, 3, 4, and 6 can be completed together.

The first step analyses the hardware, software, data and information, among other parts of the system in order to determine its boundaries and sensitivity. From there, the process of Threat Identification takes over along with the Vulnerability Identification which is where the history of attacks is brought up as well as the system security requirements and any other prior assessments made to its risk; with those identifications, they are able to release a threat statement with potential vulnerabilities available to the system.

The process then moves on to the control analysis and impact analysis. These parts analyze the current controls, the status of data sensitivity, asset and data criticality assessment. Control is the part of the system that was implemented from its beginning to stop violations on its security. The purpose of these steps is to figure out the impact an attack would have on the company or system if it were to happen. The impact is determined by loss of integrity, loss of availability, and loss of confidentiality. This is a very important phase in the process of risk assessment since it is what decides how much it would actually hurt the company. The impact is measured on a scale where 100 is high, 50 is medium, and 10 is low.

The...