Risk Management Guide for Information Technology Systems

September 2, 2001 … IT consultants who help customers manage risk. … Section 2 provides an overview of risk, how it fits into the system ….

More PDF Content

Risk Management Guide for Information Technology Systems
1. INTRODUCTION …1
1.1 AUTHORITY …1
1.2 PURPOSE …1
1.3 OBJECTIVE …2
1.4 TARGET AUDIENCE …2
1.5 RELATED REFERENCES …3
1.6 GUIDE STRUCTURE …3
2. RISK MANAGEMENT OVERVIEW …4
2.1 IMPORTANCE OF RISK MANAGEMENT …4
2.2 INTEGRATION OF RISK MANAGEMENT INTO SDLC …4
2.3 KEY ROLES …6
3. RISK ASSESSMENT …8
3.1 STEP 1: SYSTEM CHARACTERIZATION …10
3.1.1 System-Related Information …10
3.1.2 Information-Gathering Techniques …11
3.2 STEP 2: THREAT IDENTIFICATION …12
3.2.1 Threat-Source Identification …12
3.2.2 Motivation and Threat Actions …13
3.3 STEP 3: VULNERABILITY IDENTIFICATION …15
3.3.1 Vulnerability Sources …16
3.3.2 System Security Testing …17
3.3.3 Development of Security Requirements Checklist …18
3.4 STEP 4: CONTROL ANALYSIS …19
3.4.1 Control Methods …20
3.4.2 Control Categories …20
3.4.3 Control Analysis Technique …20
3.5 STEP 5: LIKELIHOOD DETERMINATION …21
3.6 STEP 6: IMPACT ANALYSIS …21
3.7 STEP 7: RISK DETERMINATION …24
3.7.1 Risk-Level Matrix …24
3.7.2 Description of Risk Level …25
3.8 STEP 8: CONTROL RECOMMENDATIONS …26
3.9 STEP 9: RESULTS DOCUMENTATION …26
4. RISK MITIGATION …27
4.1 RISK MITIGATION OPTIONS …27
4.2 RISK MITIGATION STRATEGY …28
4.3 APPROACH FOR CONTROL IMPLEMENTATION …29
4.4 CONTROL CATEGORIES …32
4.4.1 Technical Security Controls …32
4.4.2 Management Security Controls …35
4.4.3 Operational Security Controls …36
4.5 COST-BENEFIT ANALYSIS …37
4.6 RESIDUAL RISK …39
5. EVALUATION AND ASSESSMENT …41
5.1 GOOD SECURITY PRACTICE …41
5.2 KEYS FOR SUCCESS …41

LIST OF FIGURES
Figure 3-1 Risk Assessment Methodology Flowchart …9
Figure 4-1 Risk Mitigation Action Points …28
Figure 4-2 Risk Mitigation Methodology Flowchart …31
Figure 4-3 Technical Security Controls …33
Figure 4-4 Control Implementation and Residual Risk …40
LIST OF TABLES
Table 2-1 Integration of Risk Management to the SDLC …5
Table 3-1 Human Threats: Threat-Source, Motivation, and Threat Actions …14
Table 3-2 Vulnerability/Threat Pairs …15
Table 3-3 Security Criteria …18
Table 3-4 Likelihood Definitions …21
Table 3-5 Magnitude of Impact Definitions …23
Table 3-6 Risk-Level Matrix …25

Download Risk Management Guide for Information Technology Systems pdf from csrc.nist.gov, 55 pages, 478.48KB.