This guide is intended to help federal managers implement an ongoing information security risk assessment process by providing examples, or case studies, of practical risk assessment procedures that have been successfully adopted by four organizations known for their efforts to implement good risk assessment practices. More importantly, it identifies, based on the case studies, factors that are important to the success of any risk assessment program, regardless of the specific methodology employed.
The information provided in this document supplements guidance provided in the GAO's May 1998 executive guide Information Security Management: Learning From Leading Organizations (GAO/AIMD-98-68). In that guide, the GAO outlined five major elements of risk management and 16 related information security management practices that the GAO identified during a study of organizations with superior information security programs. One of the five elements identified encompasses assessing risk and determining risk-reduction needs.