Tip

Free IT risk assessment template download and best practices

Requires Free Membership to View

For disaster recovery (DR) planning, the IT risk assessment phase is a critical segment of risk management. Risk management encompasses three processes: risk assessment, risk mitigation, and evaluation. Risk management helps protect business-critical IT systems and data, thus deriving operational as well as economic benefits. A structured IT risk assessment template helps risk mitigation by providing the inputs to enforce controls, thus ensuring the organization is well prepared in case of a disaster.

Risk is a function of the likelihood of a given threat-source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Here is a step-by-step instruction set on how to go about effective IT risk assessment, right from getting started with the exercise on to actually preparing the risk assessment, complete with a downloadable copy of a sample IT risk assessment template.

IT risk assessment methodology encompasses the following primary steps:

  • System characterization
  • Threat identification
  • Vulnerability identification
  • Control analysis
  • Likelihood determination
  • Impact analysis
  • Risk determination
  • Control recommendations and results documentation

System characterization

This step defines the scope of the IT risk assessment effort. IT delineates the operational authorization boundaries and provides information about hardware, software, system connectivity, and personnel responsible for defining the risk.

As detailed in the IT risk assessment template, develop and deploy appropriate questionnaires to obtain and document all possible information about the systems, including physical infrastructure and topology, people and processes, security and backup policies, criticalities, sensitivities, and controls for environmental factors such as temperature, humidity, water, pollution and chemicals.

Threat identification

Next, identify and document the threats to the system, tabulating them as threat sources and corresponding threat actions, as shown in the accompanying IT risk assessment template.

Threat sources are varied, ranging from hackers, crackers, terrorists and espionage agents to insiders (employees who are poorly trained, disgruntled, malicious, negligent, dishonest, or terminated). Sources could also be environmental or natural threats.

The actions emanating from threat sources are also varied, and range from hacking, social engineering  and system intrusion, to information warfare, data theft, fraud, malicious code, sabotage, power outages, pollution, floods, earthquakes, landslides, and so on.       

Vulnerability identification

Once threats are identified and documented, it is time to identify the vulnerabilities present in the system that can increase the probability of the aforementioned threats. The threat-to-vulnerability mapping is shown in the downloadable IT risk assessment template. Here are some examples:

 

Vulnerability Threat source Threat action
Terminated employees’ IDs not removed from system Terminated employees Terminated employees access company proprietary data
Company firewall allows inbound telnet; guest ID is enabled on XYZ server Unauthorized internal or external users Using telnet to XYZ server and browsing system files with guest ID
Security patches provided by vendor not applied to the system Hackers and other unauthorized users Unauthorized  access to sensitive files based on known system vulnerabilities
Data center fitted with sprinklers, but protective covering for equipment not in place Fire, negligent persons Water sprinklers being turned on in the data center

Control analysis

The goal of this step in IT risk assessment is to analyze the controls that have been implemented, or are planned for implementation, to minimize or eliminate the likelihood of a threat exercising a system vulnerability. Document the procedures in place to counter threats, such as antivirus policies and security policies.

Likelihood determination

The likelihood that a potential vulnerability could be exercised by a given threat-source should be classified as high, medium or low. High or medium likelihood indicates a highly motivated and sufficiently capable threat source against which controls are ineffective (high) or only partly effective (medium). Low likelihood indicates a threat source lacking in motivation or capability and against which controls are in place to prevent or impede the vulnerability from being exercised.   

Impact analysis

Document the impact of a vulnerability exposure to the organization, classifying it as high, medium or low, as detailed in the downloadable IT risk assessment template.

One has to consider the degree of the impact resulting from exercise of a vulnerability in terms of the following:

  • Loss of major tangible assets or resources.
  • Harm or hindrance to the organization’s mission, reputation, or interests.
  • Occurrence of human death or serious injury.

Risk determination

The purpose of this step in IT risk assessment is to assess the level of risk to the IT system. The determination of risk for a particular threat/vulnerability pair can be expressed as a function of:

  • The likelihood of a threat-source attempting to exercise a given vulnerability.
  • The magnitude of the impact should a threat-source successfully exercise the vulnerability.
  • The adequacy of planned or existing security controls for reducing or eliminating risk.

The Risk-Level Matrix defined by the National Institute of Standards and Technology can be used to categorize the risk as high, medium or low:

Control analysis

The goal of this step in IT risk assessment is to analyze the controls that have been implemented, or are planned for implementation, to minimize or eliminate the likelihood of a threat exercising a system vulnerability. Document the procedures in place to counter threats, such as antivirus policies and security policies.

Likelihood determination

The likelihood that a potential vulnerability could be exercised by a given threat-source should be classified as high, medium or low. High or medium likelihood indicates a highly motivated and sufficiently capable threat source against which controls are ineffective (high) or only partly effective (medium). Low likelihood indicates a threat source lacking in motivation or capability and against which controls are in place to prevent or impede the vulnerability from being exercised.   

Impact analysis

Document the impact of a vulnerability exposure to the organization, classifying it as high, medium or low, as detailed in the downloadable IT risk assessment template.

One has to consider the degree of the impact resulting from exercise of a vulnerability in terms of the following:

  • Loss of major tangible assets or resources.
  • Harm or hindrance to the organization’s mission, reputation, or interests.
  • Occurrence of human death or serious injury.

Risk determination

The purpose of this step in IT risk assessment is to assess the level of risk to the IT system. The determination of risk for a particular threat/vulnerability pair can be expressed as a function of:

  • The likelihood of a threat-source attempting to exercise a given vulnerability.
  • The magnitude of the impact should a threat-source successfully exercise the vulnerability.
  • The adequacy of planned or existing security controls for reducing or eliminating risk.

The Risk-Level Matrix defined by the National Institute of Standards and Technology can be used to categorize the risk as high, medium or low:

 

Likelihood Impact
Low (10) Medium(50) High (100)
High (1.0) Low 10 X 1.0 = 10 Medium 50 X 1.0 = 50 High 100 X 1.0 = 100
Medium(0.5) Low 10 X 0.5 = 5 Medium 50 X 0.5 = 25 Medium 100 X 0.5 = 50
Low(0.1) Low 10 X 0.1 = 1 Low 50 X 0.1 = 5 Low 100 X 0.1 = 10

 

Risk Scale: High ( >50 to 100); Medium ( >10 to 50); Low (1 to 10)

The scale for analyzing the risk vulnerability is as follows:

Risk scale and necessary actions

 

Risk Level Risk description and necessary actions

High

 

Strong need for corrective measures. An existing system may continue to operate, but corrective action plan must be put in place as soon as possible.

Medium

 

Corrective actions need to be planned and incorporated within a reasonable period of time.

Low

 

The system’s DAA must determine whether corrective actions are required or whether the risk is tolerable.

 

Control recommendations and results documentation

Document the recommendations corresponding to the results obtained above. The goal of the recommended controls is to reduce the level of risk to the IT system and its data to an acceptable level. The results documentation will act as an input to the risk mitigation phase. If risk assessment and risk mitigation are performed correctly, the organization would be well prepared should a disaster occur. IT risk assessment is an iterative process that an organization carries out periodically, enforcing new controls as and when required.

Download the sample IT risk assessment template (includes results after analyzing the gathered information)

About the author: Anuj Sharma is an EMC Certified and NetApp accredited professional. Sharma has experience in handling implementation projects related to SAN, NAS and BURA. He also has to his credit several research papers published globally on SAN and BURA technologies.

This was first published in June 2011

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.