The IT Law Wiki

Risk assessment

32,081pages on
this wiki
Add New Page
Add New Page Talk0

Definitions Edit

Risk assessment is

the process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Risk assessment is performed to provide an estimate of the damage, loss, or harm that could result from a failure to successfully complete a project.[1]
the process engaged in by an organization to analyse, evaluate and understand the spectrum of risks, their potential likelihood and their severity in order to enable it to act to mitigate unacceptable risk to the organization.[2]
[a] systematic examination of risk using disciplined processes, methods, and tools. A risk assessment provides an environment for decision makers to evaluate and prioritize risks continuously and to recommend strategies to remediate or mitigate those risks.[3]
[the] product or process which collects information and assigns values to risks for the purpose of informing priorities, developing or comparing courses of action, and informing decision making.[4]
a means of providing decisionmakers with information needed to understand factors that can negatively influence operations and outcomes and make informed judgments.[5]

Overview Edit

Risk assessment is used to determine the extent of potential threats and risks associated with an IT system throughout its lifecycle. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.

Regardless of the types of risk being considered, all risk assessments generally include the following elements.

U.S. government Edit

Risk assessments can be accomplished in a variety of ways depending on the specific needs of the organization.[6] To do a risk assessment, one must consider the following risk conditions, in which the data

  • could be used to inform legislation, policy, or a program that could have substantial effect;
  • could be used to inform important decisions by individuals or organizations with an interest in the subject;
  • will be the basis for numbers that are likely to be widely quoted;
  • are relevant to a sensitive or controversial subject; and
  • have been judged for their quality by experts or external stakeholders who have taken positions on the information.

NIST Special Publication 800-30 identifies nine major activities to be conducted in the development of the risk assessment:

  1. System characterization
  2. Threat identification
  3. Vulnerability identification
  4. Control analysis
  5. Likelihood determination
  6. Impact analysis
  7. Risk determination
  8. Control recommendations, and
  9. Results documentation.

As shown in the following figure, risk management aims to integrate systematic concern for risk into the usual cycle of agency decision-making and implementation.


References Edit

  1. NIST Special Publication 800-53, at B-11.
  2. Partnering for Cyber Resilience: Risk and Responsibility in a Hyperconnected World-Principles and Guidelines, at 14.
  3. Department of Defense, DoD Directive (DoDD) 3020.40, Glossary, at 20 (Jan. 14, 2010) (full-text).
  4. DHS Risk Lexicon, at 28.
  5. Information Security Risk Assessment: Practices of Leading Organizations, at 6.
  6. NIST Special Publication 800-30 provides guidance on the assessment of risk as part of an overall risk management process.

See also Edit

Also on Fandom

Random Wiki