Risk Assessment on It Systems

RISK ASSESSMENT on the Department of the Army IT Systems

9 December 2012

1. Introduction

1.1 Purpose

This risk assessment was to identify threats and vulnerabilities related to the Department of the Army (DoA) Information Technology (IT) systems. It will be utilized to identify vulnerabilities in the Computer Network Defense (CND) Capabilities and mitigation plans related to DoA’s IT systems. It was realized that this was a potential high-risk system as noted by the Department of Defense (DoD) Chief Information Officer (CIO). (DoD, 2012)

1.2 Scope

This risk assessment applies to all DoA Non-secured Internet Protocol Router Network (NIPRNET) and Secured Internet Protocol Router Network (SIPRNET) for Regular Army and Reserve Components. This is a major system that is used by millions of Soldiers, contractors and DA civilians worldwide. The DoA’s IT system is comprised of Army Global Network Operations and Security Center (A-GNOSC) which is responsible for the Army’s day-to-day Tier 2 CND Service Provider.

The research methods will present both quantitative and qualitative data which will identify hazards and vulnerabilities to include International-Transnational Terrorism and Domestic Terrorism and present an assessment of the potential risks from them. Information will be collected mainly from DoD’s and DA’s websites.

SYSTEM CHARACTERIZATION

The DoD uses DODI 8510.01, DoD Information Assurance Certification and Accreditation Process (DIACAP), as the process for implementing Certification and Accreditation (C&A) within their information system. The Information Assurance (IA) Controls, or security measures that must be implemented on a system, as stated in the DODI 8500.2, Information Assurance (IA) Implementation. The control selection relies on the Mission Assurance Categories (MAC) and Confidentiality Levels (CL). Information Systems (IS) will be allotted a MAC level which shows the importance of the information which...