Risk Assessment Report
Risk is a combination of the consequences that would follow from the occurrence of an unwanted event and the likelihood of the occurrence of the event. There is no enterprise that operates without risk. It is an integral part of the business landscape. Not every risk is inevitable, however. When analyzed carefully, some risk is found to be the result of operating a particular line of business, while other risk is created, unconsciously or deliberately, by people’s actions or lack of attention. Risk management helps to mitigate the former and prevent the latter. Once the major risk to the business is recognized and assessed, a decision can be made whether to aim to avoid, mitigate or accept the risk. The integral part of risk management is risk assessment. Risk assessment quantifies or qualitatively describes the risk and enables managers to prioritize risks according to their perceived seriousness or other established criteria. Risk assessment determines the value of the information assets, identifies the applicable threats and vulnerabilities that exist (or could exist), identifies the existing controls and their effect on the risk identified, determines the potential consequences and finally prioritizes the derived risks and ranks them against the risk evaluation criteria set in the context establishment. The risk assessment report:
- Summarizes the system architecture and components, and its overall level of security;
- Includes a list of threats and vulnerabilities, the system’s current security controls, and its risk levels both inherent and residual;
- Recommends safeguards, and describes the expected level of risk that would remain if these safeguards were put in place;
- Identifies the key issues on which an organization needs to concentrate its improvement efforts;
- Can be used as input to the organization’s business continuity plan;
- Presents these findings to management
What should a Risk Assessment Report include?
A Risk Assessment Report applies to a selected information system. An information system is a group of computing and network components that share a business function, under common ownership and management. The Report will include:
- A documented asset inventory, listing all system components and establishing the system boundary for the purposes of the Report;
- A list of the organization or system’s policies and procedures;
- List of risk scenarios made of threat/vulnerability combinations, with corresponding impact and likelihood;
- List of selected controls for mitigating these risk scenarios;
- List of recommended actions to implement the safeguards, with approximate levels of effort for each;
- For each recommended change, the resulting risk value;
- The level of residual risk that would remain after the recommended changes are implemented.
The Report will reflect the security policies and objectives of the agency’s information technology management. It will be presented in a face-to-face meeting with the system business and technical owners, the risk assessment manager, and other project team members.
Risk Assessment Report as an input
A Risk Assessment Report is not intended to create or include the following, however it should be used as input for:
- A system security plan, new security architecture, audit report, or system accreditation;
- System security policies, or assignment of staff responsibility for system security;
- Detailed data flows;
- Cost estimations or justifications for risk treatment plan;
- Formal acceptance and responsibility for the security of the system;
- In-depth analysis or resolution of specific security incidents or violations;
- Contract review.